RE: [ActiveDir] adsiedit question

[Tony Murray]

It might be easier to delete the AD user objects representing the wrongly
homed SystemMailboxes, purge the mailboxes and then recreate them using one
of the two methods described here:

http://support.microsoft.com/kb/316622

Cheers
Tony  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr
HP
Sent: Wednesday, 24 January 2007 11:59 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adsiedit question

I needed to move SystemMailboxes which won't move with the wizard.
Somehow several were homed on one database and it caused event sink
problems. This was the easiest method.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 23, 2007 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adsiedit question

Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox
wizard work for your needs?
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com http://www.akomolafe.com>  - we
know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were
worried about Yesterday? -anon



From: Condra, Jerry W Mr HP
Sent: Tue 1/23/2007 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] adsiedit question


Hi all
I didn't OT this even though I'm making modifications to Exchange since the
question seems to be adsiedit related and therefore related to AD.
I'm trying to modify an attribute for a mailbox using adsiedit.
Particularly I'm rehoming it's database by modifying the homeMDB attribute. 

The problem I'm running into is I'm getting an error stating "The name
reference is invalid" when I try to apply the change. I've done this a few
times but this is the first time I've run into this error. Google doesn't
give enough info to determine the cause...or maybe it is and I just don't
know enough about the response to see itthat never happens. ;-)

If anyone can shed some light it would be greatly appreciated.

Many thanks
Jerry 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Hi All,

[Tony Murray]

Hi Somesh
 
Welcome to the discussion list.
 
Tony
www.activedir.org

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Somesh Sahu
Sent: Monday, 22 January 2007 6:14 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Hi All,



Hi all,

 

This is somesh,New member of this discussion fourm.

 

Nice to use this site.

 

Somesh sahu

RE: [ActiveDir] AdminSDHolder orphans

[Tony Murray]

Hi Ulf

Thanks for the thoughts.

I can see there could be issues with trying to revert settings after an
object is removed from one of the protected groups.  I'm now leaning towards
the idea of reporting, rather than taking wholesale action.  It would be
good to have a canned report that shows all of the objects currently
protected by the AdminSDHolder, compared with all those that have an
adminCount value of 1 (or higher).  An administrator could then make the
decision to enable permissions inheritance on a case-by-case basis for
objects listed in the second category but not the first.

Sounds like a feature Joe should add to one of his many freeware tools. The
behaviour would be similar to OldCMP.  ;-)

Tony



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Monday, 22 January 2007 11:32 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolder orphans

Hi Tony,

late response as well - sorry.

I guess why this isn't cleaned up is the same thing as in many other issues.

If you have an admin which is in certain operators groups, and he's
"loosing" those groups, it's likely that he has been delegated in some other
ways. So not reversing the settings the account is still protected from
malicious delegated admins and someone with higher privileges has to look at
this account and take care of it (e.g. looking if it's still in the right
OU).

On the other hand - and as the others mentioned - this task of cleaning up
should not run as often. And you'll either need to store the previous
permissions (we don't have an attribute for this right now), or reset to
some default permissions (we don't have a container to store them right
now), or force the reset of the inheritance and propagate parent permissions
down. Also how would we decide to reset the inheritance flag automatically -
there might be accounts in the OU which have on purpose the inheritance flag
turned off - so is a prior admin supposed to have inheritance turned on or
off in those OUs?

I don't think the task of resetting the inheritance flag would be
complicated, but it's complicated to generalize that it should be reset in
any case.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner
  Profile &
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-
B489-F2F1214C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Dienstag, 19. Dezember 2006 02:32
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans


Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the
AdminSDHolder, the next run of the SDProp thread will:

•   Replace the object’s security descriptor with that of the
AdminSDHolder;
•   Disable permissions inheritance on the object;
•   Set a new adminCount attribute with a value > 0 on the object.

If the object is then removed from the protected group(s), the changes made
by the AdminSDHolder are not reversed.  In other words, the adminCount value
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I
am finding in many environments is a large number of these AdminSDHolder
“orphans”.  These can arise quite easily, e.g. an account is made a
temporary member of a privileged group to perform a specific task or someone
changes role within the organisation.  Of course I realise that in a perfect
world these scenarios would be minimised by the use of dual accounts for
splitting standard vs. admin functions, but the reality is that it is all
too common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation
issues.  For example, I came across this issue recently when setting up
permissions for GAL Sync using IIFP.  I had to tidy up before the sync would
complete without errors.

Does anyone run a regular cleanup using the script provided in this article
(or similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up after
itself?  

Tony 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] [OT] E-Mail Template

[Tony Murray]

Hi Milton
 
In future, please use the [OT] prefix in the subject line for off-topic
posts such as this.
 
Have a look at the Exchange 5.5. FAQ here for recommendations for adding
disclaimers to email messages.
 
http://www.swinc.com/resources/exchange/faq_db.asp?status=questions

&faqID=1000&faqname=Exchange%205.5§ionID=1006§ionName=Third%20Party%
20Software%20and%20Add-Ons
 
Tony
www.activedir.org


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho
Sent: Friday, 19 January 2007 11:20 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] E-Mail Template


Hello,

 How to create an e-mail template using exchange 5.5?

 The idea is that when any employee compose a new e-mail,  at the bottom of
the message has included a company message that would be the same for all
the employees. 

 I know that at user level i can create a local signature but I need that
information at corporate level, it has to be a way to do it at server level
config !

 Thanks for comments about it

RE: [ActiveDir] OT: Different default GALs for different groups

[Tony Murray]

Thanks Michael
 
Must have missed it :-)
 
Neither of those arguments sounds overly compelling, I agree.
 
Tony

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, 19 January 2007 9:12 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Different default GALs for different groups



Hello Tony -

 

Weren't you around for this argument a few months ago on the Exchange MVP
list? J

 

I think it's a crock, personally. But we were told that: a) too many people
were shooting themselves in the foot (that is, damaging their Exchange
environment) by attempting to do this, and b)  the MSFT Exchange Hosting
tools include this capability and therefore people shouldn't be doing it
manually.

 

Neither of those are defensible reasons in my mind. I could go on and on as
to why that's my opinion, but you didn't ask for me to write a white paper.
J

 

Thanks,

M

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, January 18, 2007 2:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Different default GALs for different groups

 

Hi Michael

 

Any idea why Microsoft no longer supports this method?

 

Tony

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, 19 January 2007 6:32 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Different default GALs for different groups

It may interest you to know that MSFT doesn't really support this anymore.
They've pulled the KB articles on it that used to exist.

 

Regardless, it still works if you set everything up properly.

 

1) remove the "Everyone" and "Authenticated Users" groups from the address
list that the Default GAL refers to

2) remove the "Everyone" and "Authenticated Users" groups from the Default
GAL

3) deny the specific group access to the Default GAL

4) create a new AL

5) remove the "Everyone" and "Authenticated Users" groups from the new AL

6) give the group FC permissions to the new AL

7) create a new GAL referring to the new AL

8) remove the "Everyone" and "Authenticated Users" groups from the new GAL

9) give the group FC permissions to the new GAL

 

I think that's all the steps. This does have side effects - among those, it
removes anonymous access to your GAL.

 

Note that if you intend to use Outlook in cached mode, you have to do the
similar steps for an OAL too.

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Watts
Sent: Thursday, January 18, 2007 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Different default GALs for different groups

 

Hey list

 

I have been battling with the following issue for what feels like an age,
but I can't seem to get it so I'm hoping someone here could provide a bit of
inspiration for me:

 

As we are a secondary school (K-12 equivalent), I would like members of a
particular group (namely staff) to have a different default GAL than another
group (students) when opening Outlook. I am really stuck with this would
appreciate any help I can get. Our environment is W2K3, Exc2K3 and
Outlook2K3.

 

Thanks in advance

 

Jon Watts

St Catherine's School

RE: [ActiveDir] OT: Different default GALs for different groups

[Tony Murray]

Hi Michael
 
Any idea why Microsoft no longer supports this method?
 
Tony

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, 19 January 2007 6:32 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Different default GALs for different groups



It may interest you to know that MSFT doesn't really support this anymore.
They've pulled the KB articles on it that used to exist.

 

Regardless, it still works if you set everything up properly.

 

1) remove the "Everyone" and "Authenticated Users" groups from the address
list that the Default GAL refers to

2) remove the "Everyone" and "Authenticated Users" groups from the Default
GAL

3) deny the specific group access to the Default GAL

4) create a new AL

5) remove the "Everyone" and "Authenticated Users" groups from the new AL

6) give the group FC permissions to the new AL

7) create a new GAL referring to the new AL

8) remove the "Everyone" and "Authenticated Users" groups from the new GAL

9) give the group FC permissions to the new GAL

 

I think that's all the steps. This does have side effects - among those, it
removes anonymous access to your GAL.

 

Note that if you intend to use Outlook in cached mode, you have to do the
similar steps for an OAL too.

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Watts
Sent: Thursday, January 18, 2007 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Different default GALs for different groups

 

Hey list

 

I have been battling with the following issue for what feels like an age,
but I can't seem to get it so I'm hoping someone here could provide a bit of
inspiration for me:

 

As we are a secondary school (K-12 equivalent), I would like members of a
particular group (namely staff) to have a different default GAL than another
group (students) when opening Outlook. I am really stuck with this would
appreciate any help I can get. Our environment is W2K3, Exc2K3 and
Outlook2K3.

 

Thanks in advance

 

Jon Watts

St Catherine's School

RE: [ActiveDir] Transactional log files are not deleted !!

[Tony Murray]

Hi Senthil
 
Please use the [OT] prefix in the subject line when posting off-topic.
 
Have you looked at the following KB article describing how to manually
remove the transaction log files if they are not successfully removed by a
backup?
 
http://support.microsoft.com/kb/240145
 
Tony

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Senthil Kumar
Sent: Friday, 19 January 2007 6:55 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Transactional log files are not deleted !!


Hi,
 
My Exchange 2003 server transactional log files are not deleted eventhough I
have taken full backup  of information store using ntbackup . Is there any
specific settings in ESM to do that.
 
Regards,
 
Senthil

Re: [ActiveDir] client time sync

[Tony Murray]

Have you checked the Type registry parameter?

http://www.activedir.org/article.aspx?aid=74

Tony
-- Original Message --
From: "Rimmerman, Russ" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 10 Jan 2007 20:37:53 -0600


I tried it, it says:

The computer did not resync because no time data was available

 

I followed http://support.microsoft.com/kb/929276 but it was already set
right

 

 

 

Try the command... 

w32tm /resync /rediscover 

See if that helps the client figure out where it should look for time. 

~Ben 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ 
Sent: Wednesday, January 10, 2007 2:12 PM 
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] Client time sync 


I have a machine (at least one I know of) that isn't syncing time with 
the domain controller its logging into. I've restarted the win32time 
service on it to see if that would sync it and it doesn't. Any 
suggestions on where to start? The DC and the client are off by about 9 
minutes. 

 



~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] [OT] ORDB shutting down

[Tony Murray]

Some news about ordb.org shutting down for those of you that might use it.

http://ordb.org/news/?id=38

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Exchange reconnect(OT)

[Tony Murray]

I don't know for sure - I haven't tested it.  Even if you don't need Send As 
permissions on the object to which you want to reconnect you will need 
permissions to write a whole bunch of attribute values on the object (homeMDB, 
proxyAddresses, legacyExchangeDN, etc.).

Tony
-- Original Message --
From: "Tom Kern" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 18 Dec 2006 17:59:16 -0500

I'm almost positive you dont need "Send As" perms to reconnect a
mailbox but i may be wrong...

Thanks, I'll give it a test. I hate asking the AD guys for more perms... :(

On 12/17/06, Tony Murray <[EMAIL PROTECTED]> wrote:
> Does the account you are using to perform the reconnect have Send As
> permissions on the user object?  See the link below for the correct
> application of Send As permissions.
>
> http://msexchangeteam.com/archive/2005/01/07/348596.aspx
>
> Tony
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Sunday, 17 December 2006 2:22 p.m.
> To: activedirectory
> Subject: [ActiveDir] Exchange reconnect(OT)
>
> I have Exchange delegated full admin rights on the ex2k3 sp2 org and i have
> all the read/write perms to mailbox-enabled user attributes listed here-
> http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc1
> 19c9-961a-4e78-acf8-97099256f452.mspx?mfr=true
>
> However,I'm running into this issue-
> I delete a users mailbox, which works fine. When i try to reconnect this
> orphaned mailbox to a different user, i get this error- "you do not have the
> rights required to complete the operation Id no: c1030728"
>
> Reconnecting back to the old user works fine.
>
> I have the exact same rights to the exchange attributes on both user
> objects.
>
> Is there more to permissions under the hood when reconnecting a mailbox to a
> diff user than mailbox enabling a user that i'm running into.
> I notice there is nothing in the Working with AD permssions white paper
> about reconnecting a mailbox to a diff user but i just thought it was the
> same exact rights needed for mailbox-enabling a user.
>
> Thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] AdminSDHolder orphans

[Tony Murray]

Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the 
AdminSDHolder, the next run of the SDProp thread will:

•   Replace the object’s security descriptor with that of the AdminSDHolder;
•   Disable permissions inheritance on the object;
•   Set a new adminCount attribute with a value > 0 on the object.

If the object is then removed from the protected group(s), the changes made by 
the AdminSDHolder are not reversed.  In other words, the adminCount value 
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I am 
finding in many environments is a large number of these AdminSDHolder 
“orphans”.  These can arise quite easily, e.g. an account is made a temporary 
member of a privileged group to perform a specific task or someone changes role 
within the organisation.  Of course I realise that in a perfect world these 
scenarios would be minimised by the use of dual accounts for splitting standard 
vs. admin functions, but the reality is that it is all too common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation 
issues.  For example, I came across this issue recently when setting up 
permissions for GAL Sync using IIFP.  I had to tidy up before the sync would 
complete without errors.

Does anyone run a regular cleanup using the script provided in this article (or 
similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up after 
itself?

Tony





Sent via the WebMail system at mail.activedir.org





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Exchange reconnect(OT)

[Tony Murray]

Does the account you are using to perform the reconnect have Send As
permissions on the user object?  See the link below for the correct
application of Send As permissions.

http://msexchangeteam.com/archive/2005/01/07/348596.aspx

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Sunday, 17 December 2006 2:22 p.m.
To: activedirectory
Subject: [ActiveDir] Exchange reconnect(OT)

I have Exchange delegated full admin rights on the ex2k3 sp2 org and i have
all the read/write perms to mailbox-enabled user attributes listed here-
http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc1
19c9-961a-4e78-acf8-97099256f452.mspx?mfr=true

However,I'm running into this issue-
I delete a users mailbox, which works fine. When i try to reconnect this
orphaned mailbox to a different user, i get this error- "you do not have the
rights required to complete the operation Id no: c1030728"

Reconnecting back to the old user works fine.

I have the exact same rights to the exchange attributes on both user
objects.

Is there more to permissions under the hood when reconnecting a mailbox to a
diff user than mailbox enabling a user that i'm running into.
I notice there is nothing in the Working with AD permssions white paper
about reconnecting a mailbox to a diff user but i just thought it was the
same exact rights needed for mailbox-enabling a user.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Join a Domain

[Tony Murray]

Also have a look at DNSLint - a great tool for checking your SRV records are 
published in DNS correctly.

http://support.microsoft.com/kb/321046

Tony
-- Original Message --
From: "Al Mulnick" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 11 Dec 2006 14:11:16 -0500

Based on that, you *should* have other issues going on with your domain
controllers.

That SRV record is a way for the client (your workstation you're trying to
join) to find the domain controllers in it's site. But it's not finding them
as expected, and therefore is unable to contact the domain.

You'll want to check your DNS server and a) make sure you're using the
proper one and b) ensure that the domain controllers are registering their
records properly.

Al

On 12/11/06, John <[EMAIL PROTECTED]> wrote:
>
> There was an error in my one client machine to join a domain. Below are:
>
> "An error occurred when DNS was queried for the service location (SRV)
> resource record used to locate a domain controller for domain
> server-2.blackstallions.com.sa.
> The error was: "No records found for given DNS query."
> (error code 0x251D DNS_INFO_NO_RECORDS)
> The query was for the SRV record for _ldap._tcp.dc._msdcs.server-
> 2.blackstallions.com.sa"
>
> What does this SRV record means? There is something I need to re-configure
> in the server?
>
> Let me know expert.
> Thanks.
> John
>
> --
> Everyone is raving about the all-new Yahoo! Mail 
> beta.
>


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] DNS scavenging question

[Tony Murray]

Hi Daniel

If this is an AD-integrated zone, it might be helpful to back-up the zone to 
file before you go ahead with the change - just in case you lose any records 
you might later want back.

http://www.activedir.org/article.aspx?aid=102

Tony
-- Original Message --
From: "Daniel Gilbert" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Dec 2006 19:22:25 -0700

Thanks for the input.  Luckily for us we do not have any static records, at
least I have not created any but I will check with the other Admins to be
sure.

 

I thought AGEALLRECORDS for bring the prior records into the fold and then
they would be scavenged out in the next cycle.  Guess we will give it a try
and let everyone know how it turned out.

 

Dan

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Thursday, December 07, 2006 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS scavenging question

 

You are correct.  

 

Due to the fact that aging/scavenging was not enabled the records which were
dynamically registered were not stamped with a date/time.  Therefore the
aging/scavenging process ignores them upon starting it's scavenging process.

 

You can use the AgeAllRecords which will do just that.  Age ALL your
records.  You have to be careful though.  I haven't proven this but I
believe that it will also turn your static records into dynamic record (time
stamp them).  Then when you run AgeAllRecords.well guess what?...

 

To prevent this, Once you ageallrecords you will have to go back into the
DNS console and ensure that static/manually created records you need are not
set to Delete this record when it becomes stale by unchecking the box in the
record properties.  You might have to enable the advanced view (View
-->Advanced) to view this as well as the timestamp of the record.

 

Once you've completed this you can then right click on the DNS server name
in the DNS console and select Scavenge Stale Resource Records or via command
prompt: dnscmd  /StartScavenging

 

Note: In order to successfully configure Scavenging and Aging you will need
to enable it both on the zone and the DNS server. Which I'm sure you have
already.but just in case.

 

Right click on server name-->Properties-->Advanced tab-->check the Enable
automatic scavenging of stale records or you can enable it for all zones by
right clicking on the server name and selecting Set Aging/Scavenging for all
Zones.-->check the box Scavenge stale resource records-->OK-->check the box
to apply these settings to the existing Active Directory-integrated zones
(if AD integrated)-->OK then go to the zone and right
click-->Properties-->General tab-->Aging button and check the Scavenge stale
resource records-->OK

 

Hope this will help.please chime in.

 

-vC

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

 

I have a rather off the wall DNS scavenging question.

 

I have a bunch of DNS records that are stale and need to be scavenged

out of the zone.  Following the O'REILLY book: DNS on Windows Server

2003 I have configured aging and scavenging.  (Don't ask why this

wasn't done when the zone was first setup, that is another story)

 

Now I know: If scavenging is disabled on a standard zone and you enable

scavenging, the server does not scavenge records that existed before

you enabled scavenging. The server does not scavenge those records even

if you convert the zone to an Active Directoryintegrated zone first. 

 

To enable scavenging of such records, use the AgeAllRecords in

Dnscmd.exe.  I know this must be done in order to configure existing

records to a scavengable state.

 

Is there a way to immediately force a scavenge cycle that will remove

all stale records?  I would not to have to wait unitl the "no-refresh"

and "refresh" intervals expire.

 

 

Daniel Gilbert

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] ADU&C - Simple question

[Tony Murray]

Because you need to define the query first.  The Query string is display only, 
i.e. it will display the query that you build using the Define Query option.

Tony
-- Original Message --
From: [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 6 Dec 2006 14:40:21 -0500

In ADU&C, under Saved Queries/New/Query, why is the "Query string:" text
box greyed out and uneditable?


Thanks!
-James
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Tony Murray]

Well, I've done some more testing and the results are interesting. 
 
In both instances I have the policy in place and set to "Object Creator".
 

1.  

If the account used for AD object creation is a member of Domain
Admins the owner is shown as Domain Admins.
2.  

If the account used for AD object creation is a member of
Administrators the owner is shown as the account used to create the object.

 
Tony
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 6 December 2006 12:00 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
sorry to say, but I have different results...mailed them offline to Laura
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object. NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting "System objects: Default
owner for objects created by members of the Administrators group" DOES NOT
AFFECT DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have configured one or more SACLs on objects or Ous with
objects that should be audited

 

jorge

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Tony Murray]

I did Laura's test (the thread was wearing me down ;-)).

Even with the policy set to "Object Creator" it still shows Domain Admins as 
the owner if I create an object with an account that is member of Domain 
Admins.  In my case the Domain Admins group is a member of the built-in 
Administrators group.  This means that I saw the option in the security tab to 
change the ownership from Domain Admins to either Administrators or the account 
I was logged in with.

The conclusion is that you can't use this policy to change the behaviour for AD 
accounts.  Might be different for local accounts on member servers and 
workstations - but I haven't tested this.

Tony
-- Original Message --
From: "Laura A. Robinson" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 05 Dec 2006 13:44:47 -0500

Have you tested this?


   _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?



If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not mistaken)
AND you have configured one or more SACLs on objects or Ous with objects
that should be audited



jorge




   _


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



I'd say that you should test it. Create and link a policy where you've set
"system objects: default owner for objects created by members of the
administrators group" to "Object creator". Then create a user in AD and
check the ownership.



Laura




   _


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

?

can you explain?



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : 




   _


From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

Which will have no effect on the ownership of the directory objects.



Laura




   _


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

look at the owner



if it lists ADMINISTRATORS, you might wanna change the security option in
the default DCs GPO which is called: "system objects: default owner for
objects created by members of the administrators group"



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   Mobile : +31-(0)6-26.26.62.80

*   E-mail : 




   _


From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?

?

We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.

I used ADSIedit to verify the creation date/time.



While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).



Is there a way to see who created the the user object?





Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly de

Re: [ActiveDir] Is it possible to determine who created an AD object?

[Tony Murray]

You might be able to find out who created it by looking at the Owner in the 
Security tab.  However if the account used to create the object is a member of 
Domain Admins it will show this as owner instead of the specific user's name.

There was a discussion thread on this a couple of days ago.

http://www.activedir.org/ma/default.aspx?msg=16424

Tony
-- Original Message --
From: "Mitch Reid" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 4 Dec 2006 15:14:50 -0500

We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.
I used ADSIedit to verify the creation date/time.

While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).

Is there a way to see who created the the user object?


Thanks, Mitch.


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Tombstone.

[Tony Murray]

Hi Ajay

Not sure what network objects you are interested in, but you do have the 
ability to reanimate tombstoned objects.  The main issue with this is that not 
all of the attributes are preserved when the object is tombstoned, which means 
you won't get back everything that was lost using this method.

For some tools leveraging the reanimation API, have a look at:

http://www.microsoft.com/technet/sysinternals/utilities/AdRestore.mspx

http://www.quest.com/object_restore_for_active_directory/

Also have a look at the discussion thread below.  Dean Wells shows how to 
modify the schema to include additional attributes in tombstone reanimation.

http://www.mail-archive.com/activedir@mail.activedir.org/msg30802.html

Tony
-- Original Message --
From: "Ajay Kumar" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 5 Dec 2006 00:33:21 +0530

Hi all,

I have a query
Is that possible to recover network object from AD tombstone.
If not then wht is use of it.

Regards,
Ajay pardeshi


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] dynamic variables within an event log entry?

[Tony Murray]

Hi Michael

If you have Account Management auditing enabled you should see 624 events that 
show the account used to create new accounts.  Here's an example.

***
Event Type: Success Audit
Event Source:   Security
Event Category: Account Management 
Event ID:   624
Date:   1/12/2006
Time:   2:48:41 p.m.
User:   DEV\su-141820
Computer:   ADC01
Description:
User Account Created:
New Account Name:   jamesb
New Domain: DEV
New Account ID: DEV\jamesb
Caller User Name:   su-141820
Caller Domain:  DEV
Caller Logon ID:(0x0,0x72DE0)
Privileges  -
 Attributes:
Sam Account Name:   jamesb
Display Name:   James Blench
User Principal Name:[EMAIL PROTECTED]
Home Directory: -
Home Drive: -
Script Path:-
Profile Path:   -
User Workstations:  -
Password Last Set:   
Account Expires: 
Primary Group ID:   513
AllowedToDelegateTo:-
Old UAC Value:  0x0
New UAC Value:  0x15
User Account Control:   
Account Disabled 
'Password Not Required' - Enabled 
'Normal Account' - Enabled 
User Parameters:-
Sid History:-
Logon Hours: 


For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
***

The name of the account used to create the new user is shown in the Caller User 
Name field (in this case su-141820, which is a member of Domain Admins).

Tony

-- Original Message --
From: "Thommes, Michael M." <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 30 Nov 2006 18:33:22 -0600

I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows
event log entry.  The reason why I ask is that I see in the Security log
when a new user account is created by an account which is a member of
the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not
XYZ\adminacct1 .  If it is created by an account that is a member of the
Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose
or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Delegate VPN rights

[Tony Murray]

You will need to modify dssec.dat to expose the property.

http://www.activedir.org/article.aspx?aid=24#11

Tony
-- Original Message --
From: "WATSON, BEN" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 30 Nov 2006 09:34:39 -0800

I'm attempting to delegate out the permissions to adjust the Remote
Access Permissions under the Dial-In tab in Active Directory for user
accounts.  When performing an LDAP query, I notice that changes to this
setting are recorded in the msNPAllowDialin attribute.  Set to False
when Deny Access is set, True when Allow Access is set, and "not set"
when Control Access through Remote Access Policy is set.

 

However when I attempt to delegate out the rights to a security group so
they can modify this, it is not listed as a selectable property.  Am I
missing something here?  Should I be looking for a different property to
delegate out this right?

 

Thanks,

~Ben Watson



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Anonymous Access to Virtual Directory or Web Site...

[Tony Murray]

Hi Ravi

Have you checked the NTFS security in addition to the IIS settings?

I had a similar problem before and it had to do with the policy settings for 
User Rights Assignments.

“Guests” had been added to the list of those denied access in the following 
setting:

Computer Configuration -> Windows Settings -> Security Settings -> Local 
Policies -> User Rights Assignments -> Deny Access to this computer from the 
network.

My problem was resolved by removing "Guests" from the list.

Tony

-- Original Message --
From: "Ravi Dogra" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 29 Nov 2006 06:20:41 +0530

Hi,

I want to configure anonymous access to virtual directory. But when i
try to configure the same it gives me access denied error. but when i
do a mixed auth it askes me for username and password and works fine.
But thats what i dont want.

i dont want it to ask me user name and password when opening the page.

Please help!!!

--
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/







Sent via the WebMail system at mail.activedir.org





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Exchange 2003 management tasks overview

[Tony Murray]

You could do worse than the Exchange Server Cookbook. It's got most of the 
common management and support tasks.  There is no spreadsheet showing all the 
tasksbut there is an index :-)

http://www.oreilly.com/catalog/exchangeckbk/

Tony

-- Original Message --
From: "Victor W." <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 27 Nov 2006 21:40:32 +0100

I am looking for an overview with all Exchange 2003 management/support tasks
in it. Something like a large Excel sheet for instance. 

So far I have looked in the Exchange Administration Guide and the Operation
Guide and there is a lot in there, like tasks and checklists and so on. I
would have to go through the entire document and pick here and there some
tasks out of there, the tasks have not really been summed up nicely.

Is there something like an already made overview out there.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] A few things [List Admin]

[Tony Murray]

Hi 
all
 
Just a couple of 
things.
 

  I will be out of 
  the country for three weeks from tomorrow, with only intermittent access to 
  email.  While I am away Matty Holland will be looking after the 
  list.  If you see any problems or need help with unsubscribing, etc. then 
  Matty is your man ([EMAIL PROTECTED]).  Please play 
  nicely while I'm away or I won't bring you a present. ;-)
  I am aware of the 
  ongoing list latency problems and am awaiting a response from my ISP.  
  Hopefully it will be resolved shortly.  I suspect it might be related to 
  volume as we the number of subscribed users has grown quite sharply over the 
  past few months.
  You may have 
  noticed the recent time-out issues with the archive hosted at 
  ActiveDir.org.  The experiment we had with using Mhonarc for archiving largely failed due to 
  the poor performance.  We are working on a new archive using a different 
  method and this should be available shortly.  In the meantime, please use 
  the off-site archive at http://www.mail-archive.com/activedir@mail.activedir.org/
  Finally, a reminder 
  that you can subscribe to the list with the "No mail" (aka 
  post-only) option, which is useful if you have a public folder subscribed 
  to the list but also want to be able to post (but not receive mail) using your 
  own address.  If you want me to set you up for this, just let me know 
  (but bear in mind that I may not get around to it immediately, because I'll be 
  on the beach - ha ha ha).
Tony
ActiveDir.org 
general dogsbody.

Re: [ActiveDir] list lastlogontime for every user script

[Tony Murray]

Have you looked at this Perl sample from the AD Cookbook?

http://techtasks.com/code/viewbookcode/1608

Another alternative is to write your script around Joe's ADFIND (or even 
OldCMP).  ADFIND has the ability to handle the date formats in a user-friendly 
way.

Tony

-- Original Message --
From: "Ramon Linan" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 26 Oct 2006 16:59:20 -0400

Hi,
 
I am trying to do an script or something that will list lastlogontime
for all users so I can receive an email when someone has not use the
account for more than 30 days.
 
I have seen a couple of examples of half built scripts that don't work,
I get lost when they start dealing with the converting the number to a
date...
 
Does anyone has a script will do some similar? does Joe ware has
something similar?
 
Thanks
 
Ramon


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Apply a Group Policy to all but one user

[Tony Murray]

You can set a security group filter on the GPO.  The archive link shows a 
method described by Darren Mar-Elia.

http://www.mail-archive.com/activedir@mail.activedir.org/msg42964.html

Tony
-- Original Message --
From: "Alberto Oviedo" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 19 Oct 2006 15:03:10 -0600

I have 8 users in a OU (including my boss). I need to apply a group policy
to that OU but leave out my boss.

How can I filter that user without moving him out of the OU?


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Latency in List

[Tony Murray]

I'll look into it.

Tony

-- Original Message --
From: "Paul Williams" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 18 Oct 2006 09:49:09 +0100

Yeah, I sort of bitched about it last month when I had some time to reply. 
I see about 90 - 100 minute delays.


--Paul

- Original Message - 
From: "Vinnie Cardona" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, October 18, 2006 1:00 AM
Subject: RE: [ActiveDir] Latency in List


> This message was sent at 6pm (MST)
>
> I have seen latency...
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Tuesday, October 17, 2006 3:09 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Latency in List
>
> I initially sent a reply with to this thread (below) at 19:43 BST yet I 
> only
> receive it back at 21:37 BST nearly two hours later, is anyone else
> experiencing latency or is just me?
>
> Let's see what this message does!
>
> Mark
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: 17 October 2006 19:43
> To: ActiveDir.org
> Subject: Re: [ActiveDir] The remote computer has ended the connection.
>
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Lingering info following domain rename with rendom

[Tony Murray]

Aha, the rendom /clean was what I hadn't run.  In typical fashion I ignored 
everything after /rendom /end (and GPFixUp). This is a lab environment after 
all :-)

Thanks Steve - it was driving me nuts.

Tony

-- Original Message --
From: Steve Linehan <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 16 Oct 2006 20:10:15 -0700

Have you run the rendom /clean operation yet?  Also what is the output of 
netdom /enumerate:ALLNAMES ?


Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, October 16, 2006 9:19 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Lingering info following domain rename with rendom

Hi all

I've renamed a domain using the rendom utility.  All appears to have gone well, 
but I now get 5781 Netlogon errors in the System event log complaining that it 
can't register DNS records associated with the old domain.  This doesn't appear 
to affect anything, but I'm keen to know why this is happening.

The SRV records for the new domain name are all registered correctly (AD 
integrated DNS).

If I look in the netlogon.dns file I see records representing both the old 
domain name (let's say old.com) and the new domain name (new.com).

The old zone was AD integrated, so I've trawled through AD looking for 
references to the old zone, but I can't find anything.  I've looked in the 
following locations, but all seems normal, i.e. references to the new domain 
name.

CN=MicrosoftDNS,CN=System,
DC=DomainDNSZones,
DC-ForestDNSZones,

I've tried clearing the server cache, but no joy.

I've tried deleting the netlogon.dns and netlogon.dnb and restarting the 
netlogon service, but that didn't help.  Each time the newly created 
netlogon.dns contains records corresponding to the old domain.

The netlogon log file (with debugging turned on) contains the following 
references to the old domain:

10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsDomainNameAlias from 
(null) to old.com
10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsForestNameAlias from 
(null) to old.com

Any thoughts on where the old domain information might be coming from?

Tony





Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Lingering info following domain rename with rendom

[Tony Murray]

Hi all

I've renamed a domain using the rendom utility.  All appears to have gone well, 
but I now get 5781 Netlogon errors in the System event log complaining that it 
can't register DNS records associated with the old domain.  This doesn't appear 
to affect anything, but I'm keen to know why this is happening.

The SRV records for the new domain name are all registered correctly (AD 
integrated DNS).

If I look in the netlogon.dns file I see records representing both the old 
domain name (let's say old.com) and the new domain name (new.com).  

The old zone was AD integrated, so I've trawled through AD looking for 
references to the old zone, but I can't find anything.  I've looked in the 
following locations, but all seems normal, i.e. references to the new domain 
name.

CN=MicrosoftDNS,CN=System,
DC=DomainDNSZones,
DC-ForestDNSZones,

I've tried clearing the server cache, but no joy.

I've tried deleting the netlogon.dns and netlogon.dnb and restarting the 
netlogon service, but that didn't help.  Each time the newly created 
netlogon.dns contains records corresponding to the old domain.

The netlogon log file (with debugging turned on) contains the following 
references to the old domain:

10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsDomainNameAlias from 
(null) to old.com
10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsForestNameAlias from 
(null) to old.com

Any thoughts on where the old domain information might be coming from?

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] [OT] Exchange 2007 Schema

[Tony Murray]

Hi all

There are apparently schema changes post Beta 2 - just in case anyone was 
considering pre-loading the schema changes into production [1].

I don't have any further details on what the changes are.

Tony

[1] Which of course you wouldn't contemplate with a Beta product :-) 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] ADAM on XP Pro

[Tony Murray]

Thanks Dmitri

Yes, my security concern was with regard to laptop theft.  As you say, these 
are ADAM and not AD accounts, so the risk of compromise is localised to the 
application.  Good tip about EFS (even if I'm not a big fan of it generally).  
There may be other options (e.g. hardware encryption).

I will give some further thought to the potential replication issues you 
mention when I know more about the application - I haven't managed to get my 
hands on it yet :-)

Tony
-- Original Message --
From: Dmitri Gavrilov <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 4 Oct 2006 20:18:28 -0700

ADAM on XP is no different from ADAM on w2k3 security-wise. The big
differences are that it is throttled somewhat perf-wise, and also
there's no auditing.

I do not see any serious security problems with this approach. Unless
you are thinking that somebody steals the laptop, cracks the DIT open
and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In
any case, these are ADAM users, not windows...

The only problem will be replication -- instances will complain that
they are unable to replicate when in offline mode. Perhaps this can be
resolved by creating a separate site for every instance and setting up
manual links to the hub instance. Hmm. Not sure. I guess it depends on
how long they'll stay offline. KCC is not really optimized to work well
in such scenarios.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, October 04, 2006 7:34 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] ADAM on XP Pro

I've been talking to a vendor about an application they are developing.
It involves running ADAM instances on XP Pro machines (laptops) that
replicate with a centralised ADAM instance running on W2K3.  I don't
have further details at this stage, but I believe the they are planning
to use the local ADAM instance to authenticate laptop users to an
application when they are off-line.

In addition to security concerns with this approach, I'm not really
comfortable with the idea of ADAM instances on laptops being part of a
configuration set.  I had always understool ADAM on XP to be used for a
personal data store
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45
77-bf7c-ba4b08df48431033.mspx?mfr=true).

Any thoughts on this?

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] ADAM on XP Pro

[Tony Murray]

I've been talking to a vendor about an application they are developing.  It 
involves running ADAM instances on XP Pro machines (laptops) that replicate 
with a centralised ADAM instance running on W2K3.  I don't have further details 
at this stage, but I believe the they are planning to use the local ADAM 
instance to authenticate laptop users to an application when they are off-line.

In addition to security concerns with this approach, I'm not really comfortable 
with the idea of ADAM instances on laptops being part of a configuration set.  
I had always understool ADAM on XP to be used for a personal data store 
(http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true).

Any thoughts on this?

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADAM bind Redirection with a NULL password

[Tony Murray]

Yes, I can see that Windows SASL binds might not be universally available ;-)

Thinking about it, another problem with the SASL binds is that presumably the 
ADAM instance must be running on a server that is a member of the 
authenticating AD domain (or at least one that has a trust back to the 
authenticating domain).  This would limit it's usefulness in extranet scenarios 
because of the ports that would have to be opened between ADAM and AD (assuming 
they are on opposite sides of a firewall).

Tony
-- Original Message --
From: "Joe Kaplan" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 28 Sep 2006 22:12:34 -0500

The problem is that this happens a lot.  There are simply tons of 
applications out there that don't use Windows SASL binds.  It would be nice 
if it wasn't this way, but that's the reality of LDAP auth, especially with 
vendors that don't use Microsoft's LDAP libraries.  I've got at least 6 of 
these at work right now.

The other thing that is hard to deal with is scenarios where you have a mix 
of ADAM and AD principals.  Since it isn't easy to tell apart ADAM from AD 
principals except for possibly by naming convention, so it can be hard to 
know whether an app should do a simple or SASL bind for a given user in this 
use case.

So, the advice from MS is good, but not easy to follow.  Also, the feature 
is there to be used.

Another thing is that to use features like Fast Concurrent Bind, you have to 
do simple bind.  It isn't supported with SASL.

BTW, does FCB work with bind proxies?  I've never tried.

Joe K.

- Original Message - 
From: "Tony Murray" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, September 28, 2006 9:27 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password


> My impression from reading the on-line documentation is that the use of 
> ADAM Proxy Objects and bind redirection is frowned upon anyway.
>
> "Proxy users are designed for special circumstances and should only be 
> used as a last resort, when Windows principals cannot be used directly."
>
> and
>
> "ADAM bind redirection should be used only in special cases where an 
> application can perform a simple LDAP bind to ADAM but the application 
> still needs to associate the user with a security principal in Active 
> Directory."
>
> From 
> http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true
>
> Is there no way for the application to use the recommended alternative, 
> i.e. where ADAM receives a SASL bind request and forwards the request to 
> Active Directory?
>
> Tony
>
> -- Original Message --
> From: "Jef Kazimer" <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date:  Thu, 28 Sep 2006 21:17:39 -0500
>
> Eric,
>
> The problem stems from lack of ability to modify the application to 
> correct
> the behavior.  If I had the ability to force this, I would simply require
> null/blank not to be passed to the ADAM server from the application.
>
> I've been at odds about the DCR myself, for all the reasons you mentioned.
> Yet, without the ability to control the applications, the only thing I can
> control is the directory itself.  Without a mechanism to disable such
> behavior, I am without recourse unfortunately.
>
> So far, I've been able to avoid this problem, because the 2 apps I had 
> this
> happen with, the developer was able to modify the authentication dialog. 
> I
> have had other apps with other issuers, where modification was not 
> possible.
> These did not suffer this poor design issue, but I wonder if I will get 
> such
> an app eventually.  I suppose I am just trying to solve a problem, I have
> not been forced to solve by this method, which means it cane wait.
>
> I could go into how it would be nice to have enterprise application 
> minimum
> standards, and application owners involve infrastructure staff BEFORE an 
> app
> is purchased, instead of after when it doesn't work, but I won't :)
>
> Jef
>
>
> - Original Message -
> From: "Eric Fleischman" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, September 28, 2006 8:48 PM
> Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password
>
> One solution would be to ACL all objects such that SELF can read them,
> then have the app, after it has authenticated as the user, try and read
> something on the user itself. This way you know you are in fact that
> user (or someone else that has read access, which presumably won't work
> as anonymous).
>
> In terms of your DCR...could such a 

Re: [ActiveDir] ADAM bind Redirection with a NULL password

[Tony Murray]

My impression from reading the on-line documentation is that the use of ADAM 
Proxy Objects and bind redirection is frowned upon anyway.

"Proxy users are designed for special circumstances and should only be used as 
a last resort, when Windows principals cannot be used directly."

and

"ADAM bind redirection should be used only in special cases where an 
application can perform a simple LDAP bind to ADAM but the application still 
needs to associate the user with a security principal in Active Directory."

>From 
>http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true

Is there no way for the application to use the recommended alternative, i.e. 
where ADAM receives a SASL bind request and forwards the request to Active 
Directory?

Tony

-- Original Message --
From: "Jef Kazimer" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 28 Sep 2006 21:17:39 -0500

Eric,

The problem stems from lack of ability to modify the application to correct 
the behavior.  If I had the ability to force this, I would simply require 
null/blank not to be passed to the ADAM server from the application.

I've been at odds about the DCR myself, for all the reasons you mentioned. 
Yet, without the ability to control the applications, the only thing I can 
control is the directory itself.  Without a mechanism to disable such 
behavior, I am without recourse unfortunately.

So far, I've been able to avoid this problem, because the 2 apps I had this 
happen with, the developer was able to modify the authentication dialog.  I 
have had other apps with other issuers, where modification was not possible. 
These did not suffer this poor design issue, but I wonder if I will get such 
an app eventually.  I suppose I am just trying to solve a problem, I have 
not been forced to solve by this method, which means it cane wait.

I could go into how it would be nice to have enterprise application minimum 
standards, and application owners involve infrastructure staff BEFORE an app 
is purchased, instead of after when it doesn't work, but I won't :)

Jef


- Original Message -
From: "Eric Fleischman" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, September 28, 2006 8:48 PM
Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password

One solution would be to ACL all objects such that SELF can read them,
then have the app, after it has authenticated as the user, try and read
something on the user itself. This way you know you are in fact that
user (or someone else that has read access, which presumably won't work
as anonymous).

In terms of your DCR...could such a bit be put in? I guess. But DCRs
that are filed with the intentional intent of going again an RFC
typically have a rough time getting through even with a very strong
business impact. And you have a workaround already in the app, and
another solution I mentioned above. Just setting expectations...

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Thursday, September 28, 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM bind Redirection with a NULL password

Since there has been talk of LDAP "Authentication" as of late, I figured
I'd
post my issue of poorly developed applications allowing a null password
to
an ADAM instance using Bind Redirection.

http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry

I'd be curious if a bit flip to shut down this possibility could be put
in
control of the directory Admin, instead of relying on the developers.

Thanks,

Jef Kazimer

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Activesync and OMA not working

[Tony Murray]

Did you try the suggestions that correspond to the error from the link I sent 
earlier?

"1. a. On your Pocket PC 2003-based device, click Start, ActiveSync, Tools, 
Options, Server and check the box “This server uses an SSL connection”.
2. On your Smartphone 2003-based device, click Start, ActiveSync, Menu, 
Options, Server Settings, Connection and check the box “This server uses an SSL 
connection”.
3. Verify that host headers are configured correctly."

Cheers
Tony
-- Original Message --
From: "Ravi Dogra" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 26 Sep 2006 06:11:53 +0530

support code 85010004

Your account does not have permission to sync with your current
settings. Contact your Microsoft Exchange administrator.



On 9/26/06, Tony Murray <[EMAIL PROTECTED]> wrote:
> What error code do you see on the mobile device with ActiveSync?
>
> I've found this table to be helpful in the past.
>
> http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
>
> Tony
> -- Original Message --
> From: "Ravi Dogra" <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date:  Tue, 26 Sep 2006 05:02:35 +0530
>
> I was able to see Event ID's 1501, 1502 and 1503 on FE.
>
> This has something to do with SSL. Just because when i does
> http://mail.domain.com/oma it prompts me to use https. another thing
> is i have redirected my home directory to /exchange url.
>
>
> On 9/26/06, Brian Desmond <[EMAIL PROTECTED]> wrote:
> > Sounds like a communication issue between the frontends and the
> > backends, frontends and global catalogs, etc...
> >
> > Thanks,
> > Brian Desmond
> > [EMAIL PROTECTED]
> >
> > c - 312.731.3132
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > > [EMAIL PROTECTED] On Behalf Of Ravi Dogra
> > > Sent: Monday, September 25, 2006 6:13 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Activesync and OMA not working
> > >
> > > Hi,
> > >
> > > Day before yesterday everything was working fine with OMA and
> > > Activesync. Users were able to sync from inside and outside site
> > > premises. But suddenly it is not working.
> > >
> > > There were no changes made. only change made was FBA. and its been a
> > > week now.
> > >
> > > I have one FE and 2 BE.
> > >
> > > Situation is when user is putting in the IP Address of BE instead of
> > > FE it works fine in his PPC. But the moment he does it to FE it stops
> > > working.
> > >
> > > Please suggest
> > >
> > > --
> > > Ravi Dogra
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ml/threads.aspx
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
>
>
> --
> Ravi Dogra
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
>
>
>
>
> 
> Sent via the WebMail system at mail.activedir.org
>
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>


--
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx







Sent via the WebMail system at mail.activedir.org





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Activesync and OMA not working

[Tony Murray]

What error code do you see on the mobile device with ActiveSync?

I've found this table to be helpful in the past.

http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php

Tony
-- Original Message --
From: "Ravi Dogra" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 26 Sep 2006 05:02:35 +0530

I was able to see Event ID's 1501, 1502 and 1503 on FE.

This has something to do with SSL. Just because when i does
http://mail.domain.com/oma it prompts me to use https. another thing
is i have redirected my home directory to /exchange url.


On 9/26/06, Brian Desmond <[EMAIL PROTECTED]> wrote:
> Sounds like a communication issue between the frontends and the
> backends, frontends and global catalogs, etc...
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Ravi Dogra
> > Sent: Monday, September 25, 2006 6:13 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Activesync and OMA not working
> >
> > Hi,
> >
> > Day before yesterday everything was working fine with OMA and
> > Activesync. Users were able to sync from inside and outside site
> > premises. But suddenly it is not working.
> >
> > There were no changes made. only change made was FBA. and its been a
> > week now.
> >
> > I have one FE and 2 BE.
> >
> > Situation is when user is putting in the IP Address of BE instead of
> > FE it works fine in his PPC. But the moment he does it to FE it stops
> > working.
> >
> > Please suggest
> >
> > --
> > Ravi Dogra
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>


-- 
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses

[Tony Murray]

Thanks both of you.  I understand the concept of X.500 addresses being
useful for maintaining the ability to reply to senders whose mailbox has
moved elswhere.  It doesn't explain why:

A) they are required for the IIFP. At a basic level I can manually emulate
the GAL sync behaviour by creating a Contact object and assigning just an
SMTP and X.400 address.  Mail flow will work just fine without the need for
an X.500 address;  
B) each user object receives two X.500 addresses (one corresponding to each
Exchange organisation);
C) the Contact objects also receive two X.500 addresses.  

I'll run it past some of the guys and the product group and see what comes
back.

Tony


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Saturday, 23 September 2006 1:09 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses

Al Mulnick wrote:
> There's an additional reason you would want those addresses: replies 
> to email will work with that address stamped on there.  There was a 
> blog entry last year related to x.500 addresses and their usage on 
> "you had me at ehlo" or something like that.

Yes, that's the case - if something will be sent (for example reply) on this
"second" address it will be delivered if You will have this X500 address. If
You are using standard GAL scenario delivered with IIFP this is correct
configuration.

I think AL is thinking about this post:
http://msexchangeteam.com/archive/2004/03/24/95451.aspx

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses

[Tony Murray]

Two forest scenario.  IIFP 1a. Both forests Windows 2003 SP1 and  Exchange 2003 
SP2.

After initial setup and synchronisation I notice that my synced users (and 
their corresponding Contact objects in the second forest) acquire two new X500 
addresses (one for each Exchange org).

Simple question really.  Is this normal and expected or have I misconfigured 
something?  I assume the X500 address is to uniquely identify them in the 
metaverse, but having two seems excessive!

Thanks

Tony

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] I'm Baaaaaaack!

[Tony Murray]

Yeah, good to have you back on board, Rick.  What have you been up to?

Tony
-- Original Message --
From: ASB <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 21 Sep 2006 15:37:45 -0400

Welcome back, Rick.  :)

-ASB


On 9/21/06, Rick Kingslan <[EMAIL PROTECTED]> wrote:
>
> Be afraid  Be very afraid!  :-)
>
>
>
> Rick
>


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DC Establishing Session to client on TCP139

[Tony Murray]

Are these maybe clients that have printers published in AD.  The pruner on the 
DCs might be trying to contact the print queues on these workstations.  

Just a thought.

Tony
-- Original Message --
From: "Brian Desmond" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 20 Sep 2006 20:53:04 -0500

I'm seeing a lot of hits in firewall logs for DCs trying to establish
sessions to clients on TCP139 (NBT Session Service). Does anyone know
why this is happening or if it's necessary?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] LDAPEditor

[Tony Murray]

Hi all

I recently came across this free ldap editor:

http://www.ldapeditor.com/

It has some nice features, such as the ability to sort attributes by name, save 
searches, edit, etc.

Might be of interest to this community.

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Ad Reporting Tools

[Tony Murray]

Here's an example of a fairly simple VBScript that will create a spreadsheet 
and list all the computers (plus their details) below a given level.  You 
should be able to tweak it to give you the information you need.  

Tony

set objExcel = WScript.CreateObject("Excel.Application")
objExcel.Visible = True
objExcel.Workbooks.Add

objExcel.ActiveSheet.Name = "Domain Computers"
objExcel.ActiveSheet.Range("A1").Activate
objExcel.ActiveCell.Value = "cn"'col header 1
objExcel.ActiveCell.Offset(0,1).Value = "OS" 'col header 2
objExcel.ActiveCell.Offset(0,2).Value = "OS-ver" 'col header 3
objExcel.ActiveCell.Offset(0,3).Value = "OS-SP" 'col header 4
objExcel.ActiveCell.Offset(0,4).Value = "Description"   'col header 5
objExcel.ActiveCell.Offset(0,5).Value = "whenCreated"   'col header 6
objExcel.ActiveCell.Offset(1,0).Activate'move 1 down

strADsPath =  ";"
strFilter  = "(objectcategory=computer);" 
strAttrs   = "cn,operatingSystem," & _
 
"operatingSystemVersion,operatingSystemServicePack,description,whenCreated;"
strScope   = "subtree"

Set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
objRS.MoveFirst
While Not objRS.EOF
objExcel.ActiveCell.Value = objRS.Fields(0).Value
objExcel.ActiveCell.Offset(0,1).Value = objRS.Fields(1).Value
objExcel.ActiveCell.Offset(0,2).Value = objRS.Fields(2).Value
objExcel.ActiveCell.Offset(0,3).Value = objRS.Fields(3).Value
objExcel.ActiveCell.Offset(0,4).Value = objRS.Fields(4).Value
objExcel.ActiveCell.Offset(0,5).Value = objRS.Fields(5).Value
objExcel.ActiveCell.Offset(1,0).Activate
objRS.MoveNext
Wend






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, September 18, 2006 6:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ad Reporting Tools


Folks,
 
  I am struggling with a fairly simple request. We would like a simple
report that lists how many PC's there are in each OU into an Excel
Spreadsheet. Well I have managed to do this with CSVDE and the summary
report in Excel. Is there a better (low cost) solution? 
 
 
Dave Wade
E-Services
0161 474 5456

 

 


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions
in the Act. 

If you receive this email in error please notify Stockport e-Services
via [EMAIL PROTECTED] and then permanently remove it from
your system. 

Thank you.

http://www.stockport.gov.uk
**



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Moving Users Between Domains

[Tony Murray]

ADMT should be used for moving objects between domains. 

Movetree should now only used for objects that cannot be moved using ADMT (e.g. 
Contacts)

Tony
-- Original Message --
From: HBooGz <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Sep 2006 18:50:29 -0400

I'd like to move an object from the parent domain to the child domain in a
pure windows 2003 R2 AD environment.

I've done this with the Movetree command back when AD was 2000 - do i still
use the same command or is there a different method/possibility ?

For informational purposes, I'd like to know how to the vice versa as well (
move from child domain to parent domain )

This all within one forest and same tree.

Thanks,

-- 
HBooGz:\>


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139

[Tony Murray]

Yann

Did you see this?:

http://www.mcse.ms/message568787.html

Tony
-- Original Message --
From: Yann <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Sep 2006 20:25:02 +0200 (CEST)

Hello all,

  I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a 
with latest hotfixes),
Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).
MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders 
from both sites.

  I have Two-way replication. But replication from AD to Exchange 5.5 does not 
work. When I do a full replication
between AD and 5.5 from the ADC, every object throws the following warning 
event 8139 in the app log:

  The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after 
the source object 'cn=yann,o=mycompany.com' Consequently, the following set of 
updates will not be applied to the target obje
ct. If this warning persists, make sure that the time is correctly set on both 
the source and target servers.
dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com
  changetype: modify
replicationsignature:E1EB509F06C5614FB3BF6066ACFCF531
userAccountControl:
:<>
msExchMailboxGuid:
:<>
-
(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)

For more information, click 
[url]http://www.microsoft.com/contentredirect.asp.[/url]

  I have verified time synch/time zone on all DCs and 5.5 servers. I have not 
found any solution to my issue. Next step will be a support call to PSS.

  Anyone with any insight into this would be greatly apprecieated.

Thanks,

  Yann



-
 Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet 
! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et 
vos expériences. Cliquez ici.







Sent via the WebMail system at mail.activedir.org





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] seeAlso

[Tony Murray]

I've not seen it used by any specific app.  Bear in mind that it is:

multivalued
not indexed
not a member of the partial attribute set (i.e. not replicated via GC)

Tony

PS. I've always wanted to extend the schema with a new attribute named 
tracesOfPeanuts, simply so I can see "May Contain: tracesOfPeanuts". :-)
-- Original Message --
From: "Isenhour, Joseph" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 5 Sep 2006 15:29:01 -0700

Does anyone know if the seeAlso attribute is used by any specific
application or is it up for grabs?  I'm thinking about using it to store
an alternate contact for a user.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] W. in hell [List owner]

[Tony Murray]

Hi Matt

It's not a zero tolerance zone, but given that there have now been two posts 
with joke content and no other communication from Brandon it struck me as 
sensible to temporaraily unsubscribe his address from the list.

If he was not getting posts from the list he could have contacted me directly 
about that too.

Tony
-- Original Message --
From: "Matt Hargraves" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 5 Sep 2006 15:28:27 -0600

In case nobody figured it out, this was a mistake.  Brandon hasn't been
receiving anything from the activedir list.  Apparently he's been banned or
something.  (in case you didn't figure the rest out, I know him and asked if
he was the same OP Brandon, which he confirmed)

He accidentally added the activedir list to a DL.  I can understand blocking
someone from sending until something like this is resolved, but he hasn't
been receiving anything from the list either.  Apparently this is a zero
tolerance zone.  Oddly enough, that's not in the FAQ, maybe it should be
added.

Matt


On 9/3/06, Tony Murray <[EMAIL PROTECTED]> wrote:
>
> Hey Brandon
>
> Amusing though it is, the list is not really the place for this.
>
> Tony (list owner)
> -- Original Message --
> From: "Brandon Pierce" <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date:  Sat, 2 Sep 2006 23:13:41 -0600
>
> George Bush has a heart attack and dies.  He goes to hell, where the Devil
> is waiting for him.
>
> "I'm not sure what to do," says the Devil.  "You're on my list, but I have
> no room for you.  As you definitely have to stay here, I'm going to have
> to
> let someone else go.  I've got three folks here who weren't quite as bad
> as
> you.
>
> I'll let you decide who leaves."
>
> George thought that sounded pretty good, so he agreed.
>
> The Devil opened the first room.  In it were Richard Nixon and a large
> pool
> of hot water.  He kept diving in and climbing out, over and over.  Such
> was
> his fate in hell.
>
> "No!" said George.  "I don't think so, I'm not a good swimmer and don't
> think I could stay in hot water all day."
>
> The Devil led him to the next room.  In it was Tony Blair with a
> sledgehammer and a room full of rocks.  All he did was swing the hammer,
> time after time.
>
> No! I've got this problem with my shoulder.  I would be in constant agony
> if
> all I could do was break rocks all day." commented George.
>
> The Devil opened the third door.  In it, George saw Bill Clinton lying on
> the floor with his arms staked over his head, and his legs staked in a
> spread-eagle pose.  Bent over him was Monica Lewinsky, doing what she does
> best.
>
> George Bush looked at this in disbelief for a while, and finally said
> "Yeah,
> I can handle this."
>
> The Devil smiled and said, "OK, Monica, you're free to go!"
>
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
>
>
>
>
> 
> Sent via the WebMail system at mail.activedir.org
>
>
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT]The last departmental picnic [list owner]

[Tony Murray]

Not sure what's going on so I have temporarily suspended his subscription.

Tony
List owner and humourless [EMAIL PROTECTED] 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] W. in hell [List owner]

[Tony Murray]

Hey Brandon 

Amusing though it is, the list is not really the place for this.

Tony (list owner)
-- Original Message --
From: "Brandon Pierce" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Sat, 2 Sep 2006 23:13:41 -0600

George Bush has a heart attack and dies.  He goes to hell, where the Devil
is waiting for him.
 
"I'm not sure what to do," says the Devil.  "You're on my list, but I have
no room for you.  As you definitely have to stay here, I'm going to have to
let someone else go.  I've got three folks here who weren't quite as bad as
you.
 
I'll let you decide who leaves."
 
George thought that sounded pretty good, so he agreed.
 
The Devil opened the first room.  In it were Richard Nixon and a large pool
of hot water.  He kept diving in and climbing out, over and over.  Such was
his fate in hell.
 
"No!" said George.  "I don't think so, I'm not a good swimmer and don't
think I could stay in hot water all day."
 
The Devil led him to the next room.  In it was Tony Blair with a
sledgehammer and a room full of rocks.  All he did was swing the hammer,
time after time.
 
No! I've got this problem with my shoulder.  I would be in constant agony if
all I could do was break rocks all day." commented George.
 
The Devil opened the third door.  In it, George saw Bill Clinton lying on
the floor with his arms staked over his head, and his legs staked in a
spread-eagle pose.  Bent over him was Monica Lewinsky, doing what she does
best.
 
George Bush looked at this in disbelief for a while, and finally said "Yeah,
I can handle this."
 
The Devil smiled and said, "OK, Monica, you're free to go!"




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Log File Sizes

[Tony Murray]

Hi Mark

Yes, I found out about this recently. A customer I am working with has the 
Maximum Event Log Size for DCs set to 4GB for the security event log.  Their 
log was overwriting existing events at about 470MB and I couldn't figure it 
out.  After some digging I found the following information (very similar the 
one you posted).

http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch06n.mspx

Bizarred that Group Policy allows you to set the maximum to 4GB!

Tony
-- Original Message --
From: "Mark Parris" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 31 Aug 2006 13:24:25 + GMT

Sent this earlier but my blackberry is playing up. So if another one arrives 
later - sorry.

Does everyone know this recomendation from Microsoft?

On Windows XP, member servers, and stand-alone servers, the combined size of 
the application, security, and system event logs should not exceed 300 MB. On 
domain controllers, the combined size of these three logs - plus the Directory 
Service, File Replication Service, and DNS Server logs - should not exceed 300 
MB.

http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx?mfr=true

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Printers & AD GUI

[Tony Murray]

Not if pruning is disabled, no.

-- Original Message --
From: "joe" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 28 Aug 2006 01:20:09 -0400

Even if the pruning is disabled? 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, August 28, 2006 12:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Printers & AD GUI

It would get killed if the share didn't actually exist

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Sunday, August 27, 2006 10:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Printers & AD GUI
> 
> But if a printer is not shared out to the network, is it a network
> device?
> It can only be used on the local machine.
> 
> Do you want every local printer on every single machine in a company
> showing up in the directory? Consider a large multinational with
> hundreds of thousands of desktops and thousands with local printers
> that aren't shared.
> Then you want a printer with a certain capability in a certain site
and
> you look and find one in the directory but it isn't actually shared
> out. You try to print to it, you can't. You call IT. They look into it
> and chase it to an exec who is like piss off. :) You tell the person
> they can't use it and they get snotty because everyone is better and
> more important than IT. :) Horrible escalations. :)
> 
> You could always create your own printqueue objects for your
non-shared
> printers. It sounds like they would get zilched back out of the
> directory from the process Brian mentioned unless you disable the
> pruning. The other issue would be the manadatory attribute for the
> share name but you could give it would be if it were shared. I don't
> know what this would buy except that you can see them when browsing
AD.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro
> Sent: Sunday, August 27, 2006 10:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Printers & AD GUI
> 
> >You will note that when you create
> a queue, you get the option to publish it to the directory, it isn't
> mandatory, not required, it is simply an option
> 
> of course, but ONLY if you share them.  As soon as you stop sharing
> them, POOF
> 
> both you and Brian essentially said that yeah printers are not full AD
> objects, and that's the way it is.  But wasn't the promise of AD to
> bring ALL network objects (in the prosaic sense) into the
manageability
> fold?
> There's no question that AD is vastly improved over NT as far as
> printers go, but I'd like to see the promise fulfilled.
> 
> - Original Message -
> From: "joe" <[EMAIL PROTECTED]>
> To: 
> Sent: Sunday, August 27, 2006 8:20 AM
> Subject: RE: [ActiveDir] Printers & AD GUI
> 
> 
> > Print Queue objects are created by default under the computer on
> which the
> > printers are shared from. It is, in fact, IMO, an extremely logical
> way of
> > handling it since you don't have to worry about delegating
> permissions to
> > print admins, the computer itself can create/delete them as
> necessary.
> > MSMQ
> > Queues are handled the same way as lots of objects, in my default R2
> > forest
> > this is a list that can be handled this way
> >
> > applicationVersion
> > classStore
> > comConnectionPoint
> > dSA
> > indexServerCatalog
> > intellimirrorSCP
> > ipsecFilter
> > ipsecISAKMPPolicy
> > ipsecNegotiationPolicy
> > ipsecNFA
> > ipsecPolicy
> > msDFSR-LocalSettings
> > msDS-App-Configuration
> > msDS-AppData
> > msieee80211-Policy
> > mSMQConfiguration
> > mS-SQL-OLAPServer
> > mS-SQL-SQLServer
> > nTFRSSubscriptions
> > printQueue
> > remoteStorageServicePoint
> > rpcGroup
> > rpcProfile
> > rpcProfileElement
> > rpcServer
> > rpcServerElement
> > rRASAdministrationConnectionPoint
> > serviceAdministrationPoint
> > serviceConnectionPoint
> > serviceInstance
> > storage
> > Volume
> >
> >
> > As for why they are third class citizens in AD... I expect it is
> because
> > they are. I haven't done excessive investigation into how printers
> are
> > handled but I expect the print queue objects in AD are simply
> reflections
> > of
> > the actual print queues on the servers. I don't expect you actually
> manage
> > anything in AD for them, you manage them on the server/ws and then
> the
> > print
> > spooler updates any info it wants in AD. Certainly you find them in
> AD but
> > that just tells the underlying software where to go look and the
> software
> > goes to that print queue directly on that server. I am pretty
> confident
> > that
> > if you delete a prin

RE: [ActiveDir] Printers & AD GUI

[Tony Murray]

It's not well documented.  The best source I found is the whitpaper:

Integration of Windows 2000 Printing with Active Directory

http://www.microsoft.com/windows2000/docs/printad.doc

Here's an extract.

"The pruning service, which runs on each domain controller, performs this 
automatic removal of non-existent printers. The printer pruner periodically 
checks each print server for orphaned printers, and if a printer is not 
detected, the pruner deletes it. The pruner checks only those print servers 
that are in the same site as the domain controller on which the pruning service 
is running.
Group Policy settings are used to control the behavior of the printer pruner 
(see the Role of Group Policy section earlier in this paper). By default, if 
the pruner cannot detect a printer three times in a row at eight-hour 
intervals, it assumes that the entry is no longer valid and deletes it."

The key here is that the pruner will attempt to connect to print queues on 
print servers, so this could well explain why you see the remote links coming 
up (assuming the remote sites have print queues but no DCs).

More information in this article I wrote a while back:

http://www.windowsitpro.com/Windows/Article/ArticleID/41104/41104.html

Tony

-- Original Message --
From: "joe" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Sun, 27 Aug 2006 17:46:28 -0400

Oh no kidding Brian... I had never heard that about the pruning... I hate to
ask this, but is there any documentation on that? That would totally explain
some things various folks have asked me about DCs spinning up dialup
connections at WAN sites every 8 hours... 

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sunday, August 27, 2006 2:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Printers & AD GUI

Right. The computer is responsible for managing the print queue objects.
Any changes you make on the print server are reflected on the published
queue. Everytime the spooler service starts it confirms that the queue
objects for published printers are all still in the directory.

There is a thread that runs on every DC by default which prunes printer
objects. It attempts to contact the print server every eight hours and
if it can't after two intervals (8 hours by default) the printer objects
get deleted. If you move the printers out from under the computer
objects, then the pruning thread is the only way they will get cleaned
up unless you do it yourself. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Sunday, August 27, 2006 10:20 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Printers & AD GUI
> 
> Print Queue objects are created by default under the computer on which
> the printers are shared from. It is, in fact, IMO, an extremely
logical
> way of handling it since you don't have to worry about delegating
> permissions to print admins, the computer itself can create/delete
them
> as necessary. MSMQ Queues are handled the same way as lots of objects,
> in my default R2 forest this is a list that can be handled this way
> 
> applicationVersion
> classStore
> comConnectionPoint
> dSA
> indexServerCatalog
> intellimirrorSCP
> ipsecFilter
> ipsecISAKMPPolicy
> ipsecNegotiationPolicy
> ipsecNFA
> ipsecPolicy
> msDFSR-LocalSettings
> msDS-App-Configuration
> msDS-AppData
> msieee80211-Policy
> mSMQConfiguration
> mS-SQL-OLAPServer
> mS-SQL-SQLServer
> nTFRSSubscriptions
> printQueue
> remoteStorageServicePoint
> rpcGroup
> rpcProfile
> rpcProfileElement
> rpcServer
> rpcServerElement
> rRASAdministrationConnectionPoint
> serviceAdministrationPoint
> serviceConnectionPoint
> serviceInstance
> storage
> Volume
> 
> 
> As for why they are third class citizens in AD... I expect it is
> because they are. I haven't done excessive investigation into how
> printers are handled but I expect the print queue objects in AD are
> simply reflections of the actual print queues on the servers. I don't
> expect you actually manage anything in AD for them, you manage them on
> the server/ws and then the print spooler updates any info it wants in
> AD. Certainly you find them in AD but that just tells the underlying
> software where to go look and the software goes to that print queue
> directly on that server. I am pretty confident that if you delete a
> print queue object in AD the print queue will work continue to work
> fine on the server still, you just can't locate it via the AD.
> Contrast that with users, groups, computers, and other objects I
expect
> you consider first class citizens. If you delete those types of
> objects, you will find they no longer work at all. :)  You will note
> that when you creat

RE: [ActiveDir] Server Performance Advisor

[Tony Murray]

Thanks Steve, that worked like a charm.  :-)

It's interesting that the report compiler chooses to summarise even though the 
reports themselves are different.

Another thing that struck me as a little strange is the fact that only the 
first LDAP search to trip the rules thresholds generates a warning.  In other 
words, all subsequent searches that exceed the threshold appear in the report 
without a warning.

On the whole I really like it, especially with the detail shown when setting 
the expert level to 10.

Tony
-- Original Message --
From: "Steve Linehan" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 24 Aug 2006 20:36:18 -0700

The tracing code still fires even if the data is cached, i.e. an LDAP
request is still made.  What I believe you are seeing is the report
compiler summarizing the results.  You can change to expert level to 10
which will cause the report to have all entries in it.

Thanks,

-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, August 24, 2006 10:23 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Server Performance Advisor

Hi all

I've been looking at SPA and have been trying to get it to report all
LDAP searches.  I've managed to get it to report searches, but the
results are inconsistent.  For example, if I kick off the performance
capture and then run an LDAP search that exceeds the configured warning
levels I will see something like this in the AD.XML file:


192.168.102.11
deep
dc=colours,...
SAM Account Name with multiple AND parts and
wildcards
idx_samaccountname
Success
900
900
0.02
103
0.22
  

If I run a subsequent capture, using the same (or similar) search
criteria it doesn't log the LDAP search activity in the AD.XML file.  I
suspect this perhaps has to with the DC caching search criteria, but I'm
not sure.

Can anyone shed any light on this?  Or, put another way, has anyone
successfully and consistently captured all LDAP search activity using
SPA?

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Server Performance Advisor

[Tony Murray]

Hi all

I've been looking at SPA and have been trying to get it to report all LDAP 
searches.  I've managed to get it to report searches, but the results are 
inconsistent.  For example, if I kick off the performance capture and then run 
an LDAP search that exceeds the configured warning levels I will see something 
like this in the AD.XML file:


192.168.102.11
deep
dc=colours,...
SAM Account Name with multiple AND parts and 
wildcards
idx_samaccountname
Success
900
900
0.02
103
0.22
  

If I run a subsequent capture, using the same (or similar) search criteria it 
doesn't log the LDAP search activity in the AD.XML file.  I suspect this 
perhaps has to with the DC caching search criteria, but I'm not sure.

Can anyone shed any light on this?  Or, put another way, has anyone 
successfully and consistently captured all LDAP search activity using SPA?

Tony 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] FMSO roles split, patch question.

[Tony Murray]

I agree with Jorge.  Seizing is not a for the faint-hearted, as Brett's post 
from a while back shows...

http://www.mail-archive.com/activedir@mail.activedir.org/msg39683.html

Tony
-- Original Message --
From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 17 Aug 2006 17:02:12 +0200

the reason is that is a DC dies during the patching you do not have to seize 
the rolesIMHO, I prefer transfering over seizing
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of John Strongosky
Sent: Thu 2006-08-17 16:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


I cornfused is this a standard practice as I thought you did not want to move 
the FMSO roles back and forth. 
 
john



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Thursday, August 17, 2006 4:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


in addition to that
DC1 having FSMOset1 and DC2 having FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event logs DCdiag, etc)
if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to DC1
apply patches to DC2 and reboot and check everything (event logs DCdiag, etc)
if everything OK!
transfer FSMOset2 from DC1 to DC2
voila (that's french)...done! ;-)
 
jorge

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji 
Akomolafe
Sent: Wednesday, August 09, 2006 01:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


It doesn't matter.
 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon



From: John Strongosky
Sent: Tue 8/8/2006 4:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FMSO roles split, patch question.


We have our FMSO roles split between 2 dc's. They are Schema 
Master/Domain Tree Operator on 1 and on 2,  the roles PDC Emulator/Rid 
Pool/Intrastate on the other. After I apply the patches from Microsoft what is 
the beat practices for the boot order...or does it matter?
 
1. Remote DC/GC's first
2. no. 1
3. then no 2.
 
 
thanks
 
 
 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] ADFind Query

[Tony Murray]

Looks like the same one as on the download (March 2006).

Tony

PS.  We've got JoeWare - when are we going to see DeanWare?
-- Original Message --
From: "Dean Wells" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 14 Aug 2006 20:12:19 -0400

Hey Tony,

I tried posting it earlier but it hasn't appeared as yet nor did it bounce.
I'm uncertain as to the version on the activedir.org site so I've tried
posting another, smaller zipped enclosure in the hopes that this one will
make it through.

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Monday, August 14, 2006 8:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] ADFind Query
> 
> Have a look at Dean's SchemaDiff on the download page:
> 
> http://www.activedir.org/Downloads/Downloads.aspx
> 
> Tony
> -- Original Message --
> From: "WATSON, BEN" <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date:  Mon, 14 Aug 2006 14:28:47 -0700
> 
> Hey guys,
> 
> 
> 
> Simple question.  I'm trying to perform a search to locate all the
> schema extensions that have been added in by our company.
> 
> 
> 
> I thought some simple syntax like this would work to find all schema
> attributes with an attrbituteID prefixed with our OID.
> 
> 
> 
> adfind -schema -f attributeID=1.3.6.1.4.1.14376.*
> 
> ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
> Attribute
> 
> 
> 
> I'm obviously missing something, any thoughts?
> 
> 
> 
> Thanks,
> 
> ~Ben
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Sent via the WebMail system at mail.activedir.org
> 
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADFind Query

[Tony Murray]

Have a look at Dean's SchemaDiff on the download page:

http://www.activedir.org/Downloads/Downloads.aspx

Tony
-- Original Message --
From: "WATSON, BEN" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 14 Aug 2006 14:28:47 -0700

Hey guys,

 

Simple question.  I'm trying to perform a search to locate all the
schema extensions that have been added in by our company.

 

I thought some simple syntax like this would work to find all schema
attributes with an attrbituteID prefixed with our OID.

 

adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
Attribute

 

I'm obviously missing something, any thoughts?

 

Thanks,

~Ben



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Share your knowledge with the AD community

[Tony Murray]

Hi all

This a 
reminder that there are a couple of methods by which your can share your AD 
knowledge and experience with the wider 
community.In 
addition to the ability to create your own acticles on ActiveDir.org (http://www.activedir.org/Register.aspx) 
you can also have your own blog space provided by Dirteam.com. 
 These blogs will be hosted at http://blogs.dirteam.com/blogs with the prefix http://blogs.dirteam.com/blogs/. 
Communities are about sharing and helping each other 
grow and learn and we are very 
pleased to offer these 
features free to the community. 
To apply for a free blog space send a email 
with the subject "Apply Blog" (without the " ") and in the body of the email 
specify which name to use in the prefix for your blog and your username, for 
example:

  To: [EMAIL PROTECTED]
  Subject: Apply Blog
  Body:
  
Prefix: Carlos
Username: 
  Carlos000
Send this to [EMAIL PROTECTED] and we will then 
process your blog.
We are Looking forward to hearing from you 
all.  Please email [EMAIL PROTECTED] with any 
queries.
Tony 
(ActiveDir.org)  and Carlos 
(Dirteam.com) 

Re: [ActiveDir] Different (open)LDAP Question

[Tony Murray]

msDs-User-Account-Control-Computed is a constructed attribute.  Constructed 
attributes cannot be set manually because they are automatically maintained by 
the system.

Tony
-- Original Message --
From: "David Aragon" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 1 Aug 2006 15:49:53 -0700

Without getting into the politics involved that got us here, suffice it to
say that someone with a lot of political clout, no Windows or Active
Directory experience (though considerable MAC/OS X experience), and a PhD at
the end of their name, made a decision to deploy openLDAP and Active
Directory would be fed with information through a connector written
specifically for that purpose.

For the most part this works well.  We have developed a web page that allows
users to change passwords, incorporated various (homegrown) connectors to
provide for single sign-on to most services, network drives, etc., all
platform independent, allowing users to freely move from Windows (~85% total
number of systems) to MAC OS-X systems (~15% total number of systems) using
the same set of credentials. One of the few areas where issues have arisen
is in the changing of a users status.  I have told them to modify
userAccountControl, the programmers (connector is written in oCamel so there
is a separate group that handles this) have decided that
msDs-User-Account-Control-Computed is the correct attribute to use in order
to enable, disable, lock, unlock, etc. a user account.

Can someone from this group tell me the differences between these attributes
and which would be the correct one to use for the stated purposes?

David Aragon

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP query struggle

[Tony Murray]

It depends a little on what you're looking for.  

Let's say you have a meeting room (MR1) and a user (Bob Smith) has Send on 
Behalf of permissions for the meeting room.  A search using MR1 would use 
publicDelegatesBL (the back link attribute) and would look something like this:

(&(objectclass=user)(objectcategory=person)(publicdelegatesbl=CN=MR1,CN=Users,DC=myco,DC=com))

A search using Bob Smith would use publicDelegates and would look something 
like this:
(&(objectclass=user)(objectcategory=person)(publicdelegates=CN=Bob 
Smith,CN=Users,DC=myco,DC=com))

Tony


-- Original Message --
From: "Gordon Pegue" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 1 Aug 2006 14:18:12 -0600

I'd like to create an LDAP query to return a list of users
that have the "Send on behalf" field populated in the
"Exchange General / Delivery Options" properties in ADUC.

I cannot seems to make sense of the syntax of the query...

(&(objectCategory=user)(publicDelegates=))

Is there something I'm missing or can someone provide the correct
query format to do what I need?

Thanks
Gordon Pegue
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: A saturaday getaway.. ?

[Tony Murray]

We'll write this off as a one-off addressing error, shall we?

Tony

PS.  Is Saturaday a wet Saturday?
-- Original Message --
From: HBooGz <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 31 Jul 2006 15:53:02 -0400

Since we're all pretty busy with work , school , raiding corporations
(Rich),  planning a group vacation this summer is pretty hard.

I'd like to hit either Miami or Montreal next weekend for a few days, but
I'm not sure who can make it, if anyone at all.

that being said, I'm thinking we all should use a Saturday to hit a camp
site that has a lake, outdoor grill, etc. We can do an all day thing which
shouldn't affect anyone's schedule and wallet ( hopefully )

I've mentioned this to a few of you and I've gotten some feedback. So - if
most of you are down and interested, lets start planning --  plan for a rain
date as well.


Consider this an open-invitation.




-- 
hs


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Domain List

[Tony Murray]

Have you thought of creation a custom administrative template for the
registry change for deployment via Group Policy?

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/management/gp/admtgp.mspx

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser
Sent: Thursday, 20 July 2006 6:20 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Domain List

Using a GPO

How can I hide the drop-down list of domains that appears on the logon
screen of Windows 2000 and XP machines that are connected to a Domain?

OR

How can I force UPN Logon? Username: [EMAIL PROTECTED]
   Password: xx

I have found the following but it requires that the registry be edited
on
every computer (not the solution I was hoping for) as this would take
way to
long plus in order to change it I would have to edit every machine again



A. To remove the domain drop-down list from the logon screen and force
users
to use their full user principal name (UPN), perform these steps:

Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon registry subkey.
>From the Edit menu, select New, DWORD value.
Enter a name of NoDomainUI and press Enter.
Double-click the new value and set it to 1. Click OK.
Reboot the machine.


Any solutions or ideas would be much appreciated


Thanks,

Aaron


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Forest trust - domain drop down list

[Tony Murray]

Thanks Guido (and others)

It looks like the UPN and/or domain\userid approach with user education is
going to be the way forward.  It would be nice to collapse ForestB to a
single domain infrastructure, but it won't happen any time soon.  :-)

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Saturday, 15 July 2006 2:42 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trust - domain drop down list

yes Tony, this is standard behaviour - you'll only "see" domains that are
directly trusted. Trust type doesn't matter. Even though a forest trust will
be transitive to all child domains by default, you'll have to use UPN to
authenticate to a child domain. Which is another reason why empty
placeholder roots don't really make an administrator's life easier...  The
challenges continue for viewing objects of a trusted child-domain accross a
forest trust in the object picker - afaik, it will also just show you the
root domain (but you can find objects in the child by searching the GC...)

if you put in a normal external trust between your DomB and the DomA2,
you'll lose the benefit of kerberos authentication from your forest trust
(when choosing DomA2 in the logon window). If that's ok for you, this is a
solution, but then you might as well get rid of the forest trust...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Freitag, 14. Juli 2006 05:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Forest trust - domain drop down list

Here's the scenario

Forest trust between ForestA and ForestB.
ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one
domain DomB

Users from DomA2 sometimes log into DomB member machines.  DomA2 is not
shown in the drop-down list of domain names in the login dialog.
DomA1 is shown.

Users from DomB sometimes log into DomA2 member machines.  DomB is not shown
in the drop-down list of domain names ni the login dialog.

Is it normal behaviour for the drop-down list not to show all the domains
with trusts (including those that are transitive via the forest trust)?  If
so, is there any way to change the behaviour?

The users can obviously login using UPN, but they are not used to doing this
and there is talk of putting in an explicit domain trust between DomA2 and
DomB simply to get around this.  Ugh.

Tony



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Forest trust - domain drop down list

[Tony Murray]

Here's the scenario

Forest trust between ForestA and ForestB.
ForestA has two domains DomA1 (placeholder root) and DomA2
ForestB has one domain DomB

Users from DomA2 sometimes log into DomB member machines.  DomA2 is
not shown in the drop-down list of domain names in the login dialog.
DomA1 is shown.

Users from DomB sometimes log into DomA2 member machines.  DomB is
not shown in the drop-down list of domain names ni the login dialog.

Is it normal behaviour for the drop-down list not to show all the
domains with trusts (including those that are transitive via the
forest trust)?  If so, is there any way to change the behaviour?

The users can obviously login using UPN, but they are not used to
doing this and there is talk of putting in an explicit domain trust
between DomA2 and DomB simply to get around this.  Ugh.

Tony



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication Problem After DC Demotion

[Tony Murray]

Title: Replication Problem After DC Demotion








Are the DNS client settings on the DC in the remaining site maybe pointing
to the old DC? 

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin
Sent: Friday, 14 July 2006 12:35 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication Problem After DC Demotion





 

We just
demoted a W2K DC in our primary site. The demotion was successful and the NTDS
object associated with the DC was removed from AD Sites & Services.

In our only
other site, the one domain controller is reporting replication problems.
Replmon is reporting the following: The DSA Operation is unable to proceed
because of a DNS lookup failure.

The error
code from replmon is 8524 

Over an hour
has passed. The replication topology is automatic and we have all default
settings in regards to replication schedules etc.

Any
suggestions? 

Devin





This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

[Tony Murray]

As of the end of next week you won’t
have to put up with it any longer.   I’m moving on.  J

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, 12 July 2006 2:51 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau





 

Gotta
love that signature Tony... I promise not to disclose this information to
anyone. 



 



--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



Do
not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ ---
 I'm serious, you will learn absolutely nothing about Defending Security
Infrastructures. 





 





 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, July 11, 2006 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [List Owner] OOFs from Steven Comeau

Hi all

 

I have temporarily suspended Steven Comeau’s subscription,
which should stop the out of office replies hitting the list.

 

Tony

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

[ActiveDir] [List Owner] OOFs from Steven Comeau

[Tony Murray]

Hi all

 

I have temporarily suspended Steven Comeau’s
subscription, which should stop the out of office replies hitting the list.

 

Tony




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] [OT] Active Directory Cookbook 2e

[Tony Murray]

Yeah, those imports are always really pricey. :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, 16 June 2006 4:14 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Active Directory Cookbook 2e

In the spirit of sharing we have here on AD ORG, here is the yacht Laura
is eyeing...

http://www.flickr.com/photos/chardsy/14145521/ 


With outrageous sales numbers she may be able to actually attain it. The
cookbook sells much better than the normal AD books...

:)

  joe


P.S. Hmm seems there are some missing commas in the post below...


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, June 15, 2006 12:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Cookbook 2e

Go buy the new edition, all the cool people are doing it!  ;-)

But seriously, folks, there's some pretty nice changes in existing
content as well as a bunch of new stuffs. We tried to add at least a
handful of new recipes in each chapter, as well as updating the existing
recipes with command-line stuff (lots of adfind/admod) as well as fixing
various errata.

The new content is a chapter on Exchange (mostly courtesty of joe), a
chapter on MIIS from Gil Kirkpatrick and Steven Plank, and a chapter
each on ADAM, ADFS, and the new File/Print stuff in R2.

I for one think that it's a substantial update to the already-wonderful
1st Edition. Robbie found me a wonderful group of reviewers - joe and Al
Mulnick in particular kicked my butt from here into next week during the
TR process.  Also much good help from TonyM, RBuike and Rick Kingslan,
and Darren Mar-elia kept us all honest on the Group Policy chapter.

So anyway.  Go buy it so that I can afford that new yacht I've been
eyeing up lately.  ;-)

- Laura



On 6/14/06, joe <[EMAIL PROTECTED]> wrote:
>
> Laura will have to stop by and explain what has really changed. 
> However I know that the chapter I wrote for the Windows Server 
> Cookbook for Exchange tasks got pulled into it and extended (and 
> probably some corrections as well). That same chapter went into AD3E 
> as well but I trimmed it down considerably for AD3E as the format 
> didn't fit right. Obviously it fit perfectly for the AD Cookbook.
>
> I believe there is an ADAM chapter now.
>
> I am sure some errata got input as well as issues I and probably 
> others found on the second pass that we didn't find on the first or 
> maybe we did find on the first but for some reason or another didn't 
> make it into the final. (that never happens )
>
> Ummm I know Laura added a ton of adfind/admod examples because she 
> would write me an email every week with a list of questions for the 
> week and I would respond to it for her. Plus if I saw places it could 
> be added in the chapters themselves I put in notes for her.
>
> Sheeoot. I used to know what was changed as I reviewed the darn thing 
> and was doing Word compares between the chapters but I'll be darned if

> I can recall everything now... I must be gettin' old.
>
> I recall Laura was really busting ass on it.
>
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Wednesday, June 14, 2006 7:10 PM
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory Cookbook 2e
>
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory Cookbook 2e
>
>
>
>
> I have had a look at the O'Reilly website and cannot see what the 
> differences between the 1st and 2nd editions are. Is it Errata or new 
> content?
>
>
>
> So I am now wondering - why should I buy this, apart from the Authors 
> and the Blue Fin Tuna on the front?
>
>
> 
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: 14 June 2006 06:19
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Active Directory Cookbook 2e
>
>
>
> .is now out.
>
>
>
> http://www.oreilly.com/catalog/activedckbk2/
>
>
>
> TonyThis communication, including any attachments, is confidential. If
you
> are not the intended recipient, you should not read it - please
contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note
that
> this communication does not designate an information system for the
purposes
> of the Electronic Transac

RE: [ActiveDir] Cross forest issue

[Tony Murray]

You can only add members to Domain Local groups across the forest
trust.  Behaviour by design.

 

Tony

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Friday, 16 June 2006 7:56 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cross forest issue



 



Been a while since I looked at this and I've only got one
forest in VM on my machine at the moment so I cant test it, but I believe that
if you create a global group in ForestA you can add it to a Universal group in
ForestB. You will not be able to add users from ForestA to the Domain Admins
group in ForestB, but you can add them to the Administrators group (which
you've already figured out). 





 





The way I've always dealt with this was to have admin
accounts in each forest, not as ideal as a unified admin account, but quite
workable.





 





Phil

 





On 6/15/06, Guest, Mike <[EMAIL PROTECTED]
> wrote: 







Hi,

 

New
member here, with an issue L 

 

We
have implemented 2 forests with a cross forest trust such that forest B trusts
forest A one-way.

 

The
intention is that all admins in forest A will be able to manage both forests,
and that accounts in forest B cannot be authenticated in forest A 

 

Whilst
I can add the admins from forest A into a domain local group in forest B,
allowing me to grant "administrators" rights, I cannot add any
security principal from forest A to a universal (or global) group in forest B.
This precludes me from granting domain, enterprise or schema admin rights to
the forest A administrators – and thus defeats the objective of having the
admins in a single forest. 

 

(FYI,
creating a DL, adding a remote user, then trying to change that group to a
universal group gives the message "Foreign security principals cannot be
members of universal groups") 

 

Forest
B is in a DMZ, and is solely being used to give the benefits of centralised
management to the servers in the DMZ. Consequently, we want to avoid having
many user accounts in that forest. Company policy states that every admin must
log on using their own account 

 

Hope
you can help.

 

 

 

__
Mike
Guest | Capgemini | Sale 
Server Support | Outsourcing UK
Office: + 44 (0)870 366 1814 | 700 1814 | [EMAIL PROTECTED]
77-79 Cross Street, Sale, Cheshire. M33 7HG 

Join
the Collaborative Business Experience
__ 

 






 
  
  This
  message contains information that may be privileged or confidential and is
  the property of the Capgemini Group. It is intended only for the person to
  whom it is addressed. If you are not the intended recipient, you are not
  authorized to read, print, retain, copy, disseminate, distribute, or use this
  message or any part thereof. If you receive this message in error, please
  notify the sender immediately and delete all copies of this message. 
  
 






 




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] Active Directory Cookbook 2e

[Tony Murray]

Sounds about right.  From what I
remember from the review there is a new chapter on printers and shared folders
(R2 stuff), a MIIS chapter, and one on ADFS.

 

I really struggled with the time
given to do the review.  I think we were given 2 weeks [1]

 

Tony

 

[1] ..but then I am prone to exaggeration.
J

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Thursday, 15 June 2006 12:36 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbook 2e





 

Laura will have to stop by and explain what has really changed.
However I know that the chapter I wrote for the Windows Server Cookbook for
Exchange tasks got pulled into it and extended (and probably some corrections
as well). That same chapter went into AD3E as well but I trimmed it down
considerably for AD3E as the format didn't fit right. Obviously it fit
perfectly for the AD Cookbook. 

 

I believe there is an ADAM chapter now. 

 

I am sure some errata got input as well as issues I and probably
others found on the second pass that we didn't find on the first or maybe we
did find on the first but for some reason or another didn't make it into the
final. (that never happens )

 

Ummm I know Laura added a ton of adfind/admod examples because she
would write me an email every week with a list of questions for the week and I
would respond to it for her. Plus if I saw places it could be added in the
chapters themselves I put in notes for her.

 

Sheeoot. I used to know what was changed as I reviewed the darn
thing and was doing Word compares between the chapters but I'll be darned if I
can recall everything now... I must be gettin' old.

 

I recall Laura was really busting ass on it. 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 14, 2006 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbook 2e

I have had a look at the O’Reilly website and cannot see what the
differences between the 1st and 2nd editions are. Is it
Errata or new content?

 

So I am now wondering – why should I buy this, apart from the
Authors and the Blue Fin Tuna on the front?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray
Sent: 14 June 2006 06:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbook 2e



 

…is now out.  

 

http://www.oreilly.com/catalog/activedckbk2/

 

Tony

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] gpo and script

[Tony Murray]

I've just re-read your email and I might have misunderstood.  Are you
asking whether it is possible to manage GPOs without the GPMC
interfaces?  If so, I believe the answer is no.  The interfaces rely on
gpmgmt.dll, which is installed as part of the GPMC.  For more
information, see the gpmc.chm file in the %programfiles%\gpmc\scripts
folder.

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, 15 June 2006 9:38 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] gpo and script

Hi Myke

Yes it is possible.  Have a look at the sample scripts that come with
the Group Policy Management Console (GPMC).

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4
b35-9272-dd3cbfc81887&DisplayLang=en

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myke
Sent: Thursday, 15 June 2006 9:05 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] gpo and script

It's possible to manage GPO using vbscript (without GPMC)?
eg. list all GPO.

cheers,

Myke
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you
are not the intended recipient, you should not read it - please contact
me immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the
purposes of the Electronic Transactions Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] gpo and script

[Tony Murray]

Hi Myke

Yes it is possible.  Have a look at the sample scripts that come with
the Group Policy Management Console (GPMC).

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4
b35-9272-dd3cbfc81887&DisplayLang=en

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myke
Sent: Thursday, 15 June 2006 9:05 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] gpo and script

It's possible to manage GPO using vbscript (without GPMC)?
eg. list all GPO.

cheers,

Myke
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Active Directory Cookbook 2e

[Tony Murray]

…is now out.  

 

http://www.oreilly.com/catalog/activedckbk2/

 

Tony




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] UserName & Psswd Script

[Tony Murray]

I have manually unsubscribed the address.

 

Tony

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Phil Renouf
Sent: Wednesday, 14 June 2006 8:12 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] UserName & Psswd Script



 



Hi Pete,





 





Have you tried going to the site listed at the bottom of
every message?





 





If you go to http://www.activedir.org/List.aspx you
will find instructions on how to unsubscribe from the list.





 





Take care!





Phil

 





On 6/13/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: 







PLEASE TAKE ME OFF YOUR LIST I AM GETTING HUNDREDS OF
UNSOLICITED EMAILS, THX PETE





 







-- Original message --

From: <[EMAIL PROTECTED] > 

> Why a script? 
> 
> Why not: 
> "Net use * \\server\share
/u:server\user *" 
> 
> i.e. connect using an account defined locally on the machine
named 
> 'server'. 
> 
> 
> neil 
> 
> 
> -Original Message- 
> From: [EMAIL PROTECTED]

> [mailto: [EMAIL PROTECTED]] On Behalf Of Za Vue 
> Sent: 13 June 2006 16:19 
> To: ActiveDir@mail.activedir.org 
> Subject: [ActiveDir] UserName & Psswd Script 
> 
> I need to map to a windows standalone server from a domain
machine with 
> a different username and password other than the domain
account. Anyone 
> care to share a script? 
> 
> Thank you, 
> Z.V. 
> 





> ; List info : http://www.activedir.org/List.aspx







> List FAQ : http://www.activedir.org/ListFAQ.aspx 
> List archive: http://www.activedir.org/ml/threads.aspx

> 
> 
> 
> PLEASE READ: The information contained in this email is
confidential and 
> intended for the named recipient(s) only. If you are not an
intended 
> recipient of this email please notify the sender immediately
and delete your 
> copy from your system. You must not copy, distribute or take
any further 
> action in reliance on it. Email is not a secure method of
communication and 
> Nomura International plc ('NIplc') will not, to the extent
permitted by law, 
> accept responsibility or liability for (a) the accuracy or
completeness of, 
> or (b) the presence of any virus, worm or similar malicious
or disabling 
> code in, this message or any attachment(s) to it. If
verification of this 





> email is sought then please request a ha rd copy.
Unless otherwise stated 






> this email: (1) is not, and should not be treated or relied
upon as, 
> investment research; (2) contains views or opinions that are
solely those of 
> the author and do not necessarily represent those of NIplc;
(3) is intended 
> for informational purposes only and is not a recommendation,
solicitation or 
> offer to buy or sell securities or related financial
instruments. NIplc 
> does not provide investment services to private customers.
Authorised and 
> regulated by the Financial Services Authority. Registered in
England 
> no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
> London, EC1A 4NP. A member of the Nomura group of companies.

> 
> List info : http://www.activedir.org/List.aspx 
> List FAQ : http://www.activedir.org/ListFAQ.aspx 
> List archive: http://www.activedir.org/ml/threads.aspx








 




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] bitwise filters

[Tony Murray]

Hi M@

Responses in-line.

Tony

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha 
Weerasinghe
Sent: Tuesday, 13 June 2006 8:08 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] bitwise filters

Guys,

I have a few questions on bitwise filters.

1. I just wanna make sure I've understood bitwise filters correctly.
Basically if I want to check if all bits are set, I should use the Bitwise AND 
operator. If I need to check if any number of the bits I am interested in are 
set, I should use the OR operator. Therefore the OR operator is best used in 
multiple bit checking scenarios. If I am
checking for only one bit (and not multiple bits)   , then I should
use the AND operator. I guess it really doesn't matter. Its just the logic 
behind it.

***TM: Your understanding is correct.

If I want a list of global and local groups, I could either do a search for 
groups that are not universal or I could do a seach for groups that have the 
bit for either global or local set couldnt I? i.e
(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or 
(&(objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))).
Please correct me if I am wrong.

***TM: The first filter looks better to me.  The second one would not find 
Universal security groups (because with the AND matching rule all of the bits 
must match).  Universal security groups have a decimal value of 2147483656.

2. How do I find the bitwise filter OID for AND or OR without refering to 
manuals. Can I query this in the directory or is it hardcoded?

***TM: I don't believe you'll find it in the directory (i.e. it's not part of 
the schema).  It is however a (Microsoft) registered OID.  See 
http://www.alvestrand.no/objectid/1.2.840.113556.1.4.html

3. Joe,

Could you please explain why the group type value output in adfind is minus? If 
I do a query with -f 
"(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650)"
grouptype, I get -2147483646 as the output. The results are correct. I just 
want to understand why the output is minus.

***TM: I'm sure Joe will answer this one.

Thanks

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.
[EMAIL PROTECTED])

RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server

[Tony Murray]

Here’s another option.

 

http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=45

 

There is a Group Policy setting that allows you to override any DNS
Servers configured in client IP settings (either manuall or via DHCP). 
Unfortunately, it only works on XP.

 

Computer Configuration\Administrative Templates\Network\DNS Client\DNS
Servers

 

Tony

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Richard Kline
Sent: Tuesday, 13 June 2006 10:51 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses
per server





 



This came from MSDN’s Scriptomatic 2.0.  

 

It dumps everything!  Remove the many many lines which you
don’t need.   Edit the constant “SERVERNAME” to machine in
question.   I’ve not tried it but I think that you can put in
multiple names separated by commas.

 

Rich

 



 

On Error Resume Next

 

Const wbemFlagReturnImmediately = &h10

Const wbemFlagForwardOnly = &h20

 

arrComputers = Array("SERVERNAME")

For Each strComputer In arrComputers

   WScript.Echo

   WScript.Echo
"=="

   WScript.Echo "Computer: " & strComputer

   WScript.Echo
"=="

 

   Set objWMIService = GetObject("winmgmts:\\"
& strComputer & "\root\CIMV2")

   Set colItems = objWMIService.ExecQuery("SELECT *
FROM Win32_NetworkAdapterConfiguration", "WQL", _

 
wbemFlagReturnImmediately + wbemFlagForwardOnly)

 

   For Each objItem In colItems

  WScript.Echo "ArpAlwaysSourceRoute:
" & objItem.ArpAlwaysSourceRoute

  WScript.Echo "ArpUseEtherSNAP:
" & objItem.ArpUseEtherSNAP

  WScript.Echo "Caption: "
& objItem.Caption

  WScript.Echo "DatabasePath:
" & objItem.DatabasePath

  WScript.Echo "DeadGWDetectEnabled:
" & objItem.DeadGWDetectEnabled

  strDefaultIPGateway =
Join(objItem.DefaultIPGateway, ",")

 WScript.Echo
"DefaultIPGateway: " & strDefaultIPGateway

  WScript.Echo "DefaultTOS:
" & objItem.DefaultTOS

  WScript.Echo "DefaultTTL:
" & objItem.DefaultTTL

  WScript.Echo "Description:
" & objItem.Description

  WScript.Echo "DHCPEnabled:
" & objItem.DHCPEnabled

  WScript.Echo "DHCPLeaseExpires:
" & WMIDateStringToDate(objItem.DHCPLeaseExpires)

  WScript.Echo "DHCPLeaseObtained:
" & WMIDateStringToDate(objItem.DHCPLeaseObtained)

  WScript.Echo "DHCPServer:
" & objItem.DHCPServer

  WScript.Echo "DNSDomain: "
& objItem.DNSDomain

  strDNSDomainSuffixSearchOrder =
Join(objItem.DNSDomainSuffixSearchOrder, ",")

 WScript.Echo
"DNSDomainSuffixSearchOrder: " & strDNSDomainSuffixSearchOrder

  WScript.Echo
"DNSEnabledForWINSResolution: " &
objItem.DNSEnabledForWINSResolution

  WScript.Echo "DNSHostName:
" & objItem.DNSHostName

  strDNSServerSearchOrder =
Join(objItem.DNSServerSearchOrder, ",")

 WScript.Echo
"DNSServerSearchOrder: " & strDNSServerSearchOrder

  WScript.Echo
"DomainDNSRegistrationEnabled: " &
objItem.DomainDNSRegistrationEnabled

  WScript.Echo
"ForwardBufferMemory: " & objItem.ForwardBufferMemory

  WScript.Echo
"FullDNSRegistrationEnabled: " &
objItem.FullDNSRegistrationEnabled

  strGatewayCostMetric =
Join(objItem.GatewayCostMetric, ",")

 WScript.Echo
"GatewayCostMetric: " & strGatewayCostMetric

  WScript.Echo "IGMPLevel: "
& objItem.IGMPLevel

  WScript.Echo "Index: "
& objItem.Index

  strIPAddress =
Join(objItem.IPAddress, ",")

 WScript.Echo
"IPAddress: " & strIPAddress

  WScript.Echo
"IPConnectionMetric: " & objItem.IPConnectionMetric

  WScript.Echo "IPEnabled: "
& objItem.IPEnabled

  WScript.Echo
"IPFilterSecurityEnabled: " & objItem.IPFilterSecurityEnabled

  WScript.Echo
"IPPortSecurityEnabled: " & objItem.IPPortSecurityEnabled

  strIPSecPermitIPProtocols =
Join(objItem.IPSecPermitIPProtocols, ",")

 WScript.Echo
"IPSecPermitIPProtocols: " & strIPSecPermitIPProtocols

  strIPSecPermitTCPPorts =
Join(objItem.IPSecPermitTCPPorts, ",")

 WScript.Echo
"IPSecPermitTCPPorts: " & strIPSecPermitTCPPorts

  strIPSecPermitUDPPorts =
Join(objItem.IPSecPermitUDPPorts, ",")

 WScript.Echo
"IPSecPermitUDPPorts: " & strIPSecPermitUDPPorts

  strIPSubnet = Join(objItem.IPSubnet,
",")

 WScript.Echo
"IPSubnet: " & strIPSubnet

  WScript.Echo
"IPUseZeroBroadcast: " & objItem.IPUseZeroBroadcast

  WScript.Echo "IPXAddress:
" & objItem.IPXAddress

  WScript.Echo "IPXEnabled:
" & objItem.IPXEnabled

  strIPXFrameType =
Join(objItem.IPXFrameType, ",")

 WScript.Echo
"IPXFrameType: " & strIPXFrameType

  WScript.Echo "IPXMediaType:
" & objItem.IPXMediaType

  strIPXNetworkNumber =
Join(objItem.IPXNetworkNumber, ",")

 WScript.Echo
"IPXNetworkNumber: " & strIPXNetworkNumber

  WScript.Echo "IPXVirtualNetNumber:
" & objItem.IPXVirtualNetNumber

  

RE: [ActiveDir] User Accounts

[Tony Murray]

Great info ~Eric! 

The link to the start of the thread is: 

http://www.activedir.org/ml/msg08620.aspx 

We've just moved the archive onto the ActiveDir.org web site and we're
having one or two teething problems with the search feature.  :-)

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, 9 June 2006 10:38 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Accounts

After this thread (I believe Dean asked what the error was at one point,
but I can't find that tip of the thread right now), I decided to go
ahead and test this.
http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx

I'll blog some more on other things we found along the way over the next
few days.

~Eric


-Original Message-
From: Eric Fleischman
Sent: Wednesday, April 19, 2006 7:39 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] User Accounts

> DNTs are reusable in ESE, however ADs implementation does not allow
DNTs
> to be released / reused on a single server, and the database will only

> "reuse" them if you recreate the DB by repromoting (cause the data is 
> replicated from other servers into a virgin ESE, and DNTs are assigned

> from the beginning at this point).

Basically, yes. Though I would point out, this is hardly reusing
DNTs...this is more starting over. :) For the sake of clarity I would
point out that such a re-promotion would need to be over the wire and
not IFM. IFM just picks up where the last left off, as you are using the
old database again, and so the same AD level rules apply.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Tuesday, April 18, 2006 11:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Accounts

>* DNTs (to me) are _not_ a component of the directory

IIRC they are like a (primary/foreign) key in a database. Technically
not needed by the database layer, and not needed by the application, but
needed to keep the data together for the application. So if you look at
AD from the outside it won't be referenced, if you look at ESE it's just
a DB and doesn't care about the data stored within, but you still need
it in between to store the AD in the ESE.
Right?

>* DNTs are not reusable

Unique per Server and don't provide any reference across servers. If AD
looks for a parent object by looking up it's known DNT (stored with the
child), ESE would fail in that moment, AD would not able to go to
another server and look up the same DNT in it's database. The AD is
distributed, the ESE is local, and DNTs are part of the local table.

If I understand correctly:
DNTs are reusable in ESE, however ADs implementation does not allow DNTs
to be released / reused on a single server, and the database will only
"reuse"
them if you recreate the DB by repromoting (cause the data is replicated
from other servers into a virgin ESE, and DNTs are assigned from the
beginning at this point).

Right?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
|Sent: Wednesday, April 19, 2006 1:18 AM
|To: Send - AD mailing list
|Subject: RE: [ActiveDir] User Accounts
|
|Inline is my take on an IM conv. Brett and I just had, the result and 
|content of which turned up some interesting (to me at least) 
|implementation details.  The short story is -
|
|* DNTs (to me) are _not_ a component of the directory
|   - they _are_ a component of the layer that bridges the two
(dblayer)
|   - to Brett, I believe he sees them within the sum of "what is
the 
|directory"
|* DNTs (to both Brett and I) are not part of ESE
|* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows)
|* DNTs are not reusable
|
|I hope the summary and conversational text inline proves useful.
|
|--
|Dean Wells
|MSEtechnology
|* Email: [EMAIL PROTECTED]
|http://msetechnology.com
|
| 
|
|> -Original Message-
|> From: [EMAIL PROTECTED]
|> [mailto:[EMAIL PROTECTED] On Behalf Of
|Brett Shirley
|> Sent: Tuesday, April 18, 2006 5:11 PM
|> To: ActiveDir@mail.activedir.org
|> Cc: Send - AD mailing list
|> Subject: RE: [ActiveDir] User Accounts
|> 
|> 
|> Dean, I didn't understand this comment ...
|>  > But, dude, seriously, you weren't aware that AD's ESE
|used a 32 bit
|> DNT?
|>  > Methinks perhaps you're muddling in the realms of personal 
|> interpretation  > ... though I'm quite certain you'll argue that too 
|> ... ESE purist :0p
|> 
|> Are you claiming that ESE knows what a DNT is?
|
|Not at all ... but IMO, neither does the directory ... and per our IM, 
|the dblayer knows what they are (after all,

RE: [ActiveDir] AD LDAP Logging.

[Tony Murray]

Hi Yann

 

One option would be to enable logging of all LDAP searches against
the DC.

 

http://www.activedir.org/article.aspx?aid=97

 

Tony

PS.  We’re just loading a new version of the site, so it might
take a few minutes before you can load the page.

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Yann
Sent: Thursday, 8 June 2006 6:39 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDAP Logging.



 



Hello ,





 





I need advices about troubleshooting LDAP connections to one
of my DC in my AD2k3.





An application named ZOPE running on a linux box accesses my
DC.





 Users use a web page, via ZOPE application, that
connect to my DC to list users information. Sometimes, users are disconnected
to my DC and the admin that is responsible for the ZOPE app. called me to
resolve this issue.





 





What are the different steps to tshoot possible problem
with LDAP connections to my DC ?





 





Thanks in advance for help,





 





Yann





 



 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

[ActiveDir] OT: Move Enterprise CA

[Tony Murray]

Hi all

 

I have to move an Enterprise CA from one DC
to another.  The following article appears to show the required steps.

 

How to move a certification
authority to another server

http://support.microsoft.com/?kbid=298138

 

For those of you that have done this, is
the process as straightforward as it appears?  Anything to look for that isn’t
mentioned in the article?

 

Tony




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] setting the regional settings with GPO or other scripts...

[Tony Murray]

You can set the default language and prevent users from changing the
regional settings in Control Panel using the following setting:

USER\Administrative Templates\Control Panel\Regional and Language
Options

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Friday, 2 June 2006 8:34 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] setting the regional settings with GPO or other
scripts...

Hi, 
I would like to restrict the users from changing the regionals
settings on their laptops. Also I would like to push the configuration
as to date format and number decimals value and such. 
Anyone has a way to do that centrally?


Thanks!
Note: I'm googling for it right now, sorry if there is an easy answer
for this one; I'm actually in a little hurry so I didn't search before
posting. Sorry for that.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Deny Read Permissions to Group Policy

[Tony Murray]

On the Scope tab of the GPO in the GPMC look at the Security Filtering
section.  The default is to have the policy applied to "Authenticated
Users".  Probably the easiest option for you is to:

- Create a group and add the 55 users as members.
- Remove "Authenticated Users" from the Security Filter.
- Add the newly created group to the Security Filter.

You could also use the Deny method, but this is generally not
recommended as it is harder to troubleshoot.  Also, you can achieve
everything you need to without using Deny.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anthony
Crawford
Sent: Thursday, 1 June 2006 9:03 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Deny Read Permissions to Group Policy


I have a sub OU with 60 users and I wish to apply a group policy to 55
of the users.  I assume the easy way is to deny read permissions to the
policy for the handful of employees I do not want the policy to apply
to.  I have gpmc open and looking under security filtering and can't
seem to figure out how to accomplish this.  If there is a better method
then deny reading of the policy, I'll take the advice.

Thanks.

Tony
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Query for user AD info from web application

[Tony Murray]

> Third, an X500 address would be unusual,...

Not an everyday occurrence, I agree, but I see these pretty frequently
with organizations that have migrated within Exchange 5.5 and then have
migrated to Exchange 2000/2003 (or an ADC is in place).  Typically, they
are used to support replies to emails in situations where the sender's
DN has changed. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, 31 May 2006 11:48 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Query for user AD info from web application

First off I generally try to dissuade folks from using the SQL format
for querying LDAP directories, it makes developers think capability
exists that doesn't. 

Second, mail attribute is not going to have any type of address other
than SMTP. 

Third, an X500 address would be unusual, do you mean X400 address? Every
mailbox has an X400 address by default, that will be maintained in
proxyAddresses and textEncodedOrAddress (same value in both). The only
default X500 address in Exchange would be what is used for the
legacyExchangeDN which is not maintained in proxyAddresses. The only
time you would have an X500 in proxyAddresses is if you manually added
it (say you modified the LEDN and wanted to keep the old one around for
routing, permissions, etc).

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Tuesday, May 30, 2006 2:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Query for user AD info from web application

Our internet web application use AD to pull user information. They start
with the users email address and then look up other information.

We've notice today that if a user has a X500 address our query doesn't
work.

Here's what the web developer sent me

SELECT displayName FROM 'GC://DOMAIN.COM' WHERE
objectCategory='organizationalPerson' AND ((mail = '[EMAIL PROTECTED]'))

I don't know why a X500 address would mess this up, ideas?

Thanks,jb

--
Jason Benway
Network Services Manager
[EMAIL PROTECTED]
GHSP
1250 S.Beechtree
Grand Haven, MI 49417
616-847-8474
Fax: 616-850-1208
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Query for user AD info from web application

[Tony Murray]

The search filter shown below would not be the cause of any issues
associated with an X.500 address.  We probably need to see more of the
code.  The attribute "mail" is single-valued, so the X500 address is
stored in the "proxyAddresses" attribute.  

Once the displayName attribute is returned from the search what happens
next?  What follows is more likely to be where the issue lies, as you
say that the web application then looks up "other information".  Does
this include "proxyAddresses"?

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Wednesday, 31 May 2006 6:59 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Query for user AD info from web application

Our internet web application use AD to pull user information. They start
with the users email address and then look up other information.

We've notice today that if a user has a X500 address our query doesn't
work.

Here's what the web developer sent me

SELECT displayName FROM 'GC://DOMAIN.COM' WHERE
objectCategory='organizationalPerson' AND ((mail = '[EMAIL PROTECTED]'))

I don't know why a X500 address would mess this up, ideas?

Thanks,jb

--
Jason Benway
Network Services Manager
[EMAIL PROTECTED]
GHSP
1250 S.Beechtree
Grand Haven, MI 49417
616-847-8474
Fax: 616-850-1208
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] ADMod - add to memberOf attribute

[Tony Murray]

No, the memberOf attribute, as a back-link to the member
attribute, is own by the system and cannot be written to.  You will need to
modify the member attribute on the group object you want to add to.

 

Tony

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Teo De Las Heras
Sent: Tuesday, 30 May 2006 12:55 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADMod - add to memberOf attribute



 



Can ADMod be used to add DN's to the memberOf
attribute?  I'm getting "Error 0x35 (53) Unwilling to perform" and
"Too many errors encountered".





 





C:\>admod -b "CN=Recovered
Group,OU=Groups,dc=labb,,dc=org" "membe
rOf:+:CN=DC Admins,ou=groups,dc=labb,dc=org"





 





Thanks





 





Teo






This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] How To Determine What GC a Server is Using?

[Tony Murray]

Title: How To Determine What GC a Server is Using?








How about “netstat –b” ?  Look for mad.exe
connecting to port 3268 (or 3269 for SSL).

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Friday, 26 May 2006 1:13 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How To Determine What GC a Server is Using?



 

Isn't
the 'Login Server' the same as the Domain Controller?  If I do a
'set.exe' from a command prompt, I get the same info as
"LOGONSERVER".  What I need specifically, is the Global Catalog
server (unless I'm going about this incorrectly).

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Blair, James
Sent: Thursday, May 25, 2006 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How To Determine What GC a Server is Using?

Stu,

 

Download
and configure BGINFO and check to "Login
Server" attribute...

 

http://www.sysinternals.com/Utilities/BgInfo.html

James
Blair 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Friday, 26 May 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How To Determine What GC a Server is Using?

We have a strange
situation here where one of our Exchange servers keeps getting 8026 and 2102
errors.  This causes our users on that Exchange server to temporarily lose
connection to the Exchange server.  Also, my Unity server just failed over
to the secondary Unity server at exactly the same time my last Exchange 8026
error happened.  This leads me to believe I may have a problem with a
global catalog server.  Is there a way to determine what GC each server is
using?

Thanks in advance. 




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] OT: Mailing problem exchange 2003 server

[Tony Murray]

As James correctly points out - we do need a little 
more information to go on.  However, as this is the same Exchange 
Organization (single forest) we're talking about there may be no need for 
an SMTP connector.  It depends on how the routing groups are 
configured.  Perhaps Ajay could provide a little more detail on what 
Exchange servers are currently in place and how the routing groups are currently 
configured?  If there is no Exchange server in the child domain then it 
should be possible to create mailboxes for those users on the Exchange server in 
the root domain.
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Blair, 
JamesSent: Thursday, 25 May 2006 6:09 p.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Mailing problem 
exchange 2003 server

Ajay,
 
Need 
to put OT in the topic for this one...with the limited information I am going to 
presume that the other domain is running Exchange as well...You need to create 
an SMTP connector between parent root server and their Exchange 
server.
 
Exchange System Manager - Administrative Groups - 
 - Routing Groups - Connectors - 
 - New SMTP Connector
 
They 
would of course have to do the same thing and if a firewall is in place you will 
need to open the respective ports...

James 
Blair 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay 
KumarSent: Thursday, 25 May 2006 3:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Mailing problem 
exchange 2003 server

 Dear all,
 
I have parent root server, in which exchange server 2003 installed and I 
have other child domain in same forest. 
Can any tell me how can send and recieve mails between parent and 
child Domain.
 
Thank & Regards,
 
Ajay
 
 

RE: [ActiveDir] OT: Exchange Cache Mode -Help

[Tony Murray]

Milton (and everyone else), it would be good if you can use “OT:”
in the subject field if you plan to post something off the topic of AD. 
That way others can use Inbox rules to filter the messages out if they don’t
want to see them.

 

In response to your question, I think we need a little more information
to work with.  Are you saying that the missing emails are visible on the
server when, for example, viewed with OWA?  If so, it sounds like a client
issue.  Do you see any entries in the “Sync Issues” folder on
the affected Outlook client(s).  If you recreate the profile, does the
problem persist?

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Thursday, 18 May 2006 8:36 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Cache Mode -Help



 

Did
I not get the memo about this list changing to the Exchange list?

 

 

Hmmm...
Maybe I need to re-evaluate my filters.

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho
Sent: Wednesday, May 17, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange Cache Mode -Help

I have a Win 2003 -installed exchenge server 2003
Scenario:

 I have an user who has configure her exchange mailbox properly; the
user is using a cache mode file(.ost), so far good. Yesterday I configured her
laptop because she is leaving the country, I configured (Exchange access over
HTTP) plus option Cache Mode.  But 2 hours later the user call me telling
me she lose all the e-mails of the day !! . I checked and she was right .
The e-mails were not there ?? However I found all the e-mails in the
server (Message Tracking Center) 

Two days ago an IT guy remove the mailbox from other user (Computer
maintenance) then he reconfigured the mailbox and set to use a new .ost file
the last one was 480MB, but now ... the user call me telling me can not find a
lot e-mails that he received. ?? ... The same all the e-mails are
in the server but not in the client 

I am not sure what is going on ?? Please comments to solve this situation.

Thank You ...




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

[Tony Murray]

windowsserverfaq.org



 





 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, May 16, 2006 12:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?

I have a rule that auto-deletes Al’s emails as a matter of
course.  J

 

I can confirm what others have said – that the emails are
visible in Outlook 2007.   Still checking to see if there is a way to
resolve this on the list server side, but haven’t found anything yet.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, 16 May 2006 9:42 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?



 

Crap,
more blank emails from Al. Al, use hotmail or something. ;)



 



--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 15, 2006 4:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Tony Murray]

I have a rule that auto-deletes Al’s emails as a matter of
course.  J

 

I can confirm what others have said – that the emails are visible
in Outlook 2007.   Still checking to see if there is a way to resolve
this on the list server side, but haven’t found anything yet.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, 16 May 2006 9:42 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?



 

Crap,
more blank emails from Al. Al, use hotmail or something. ;)



 



--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 15, 2006 4:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] OldCmp question

[Tony Murray]

Hi Russ

 

Just out of idle curiosity, I would be interested to know why you
decided to extend the schema to flag all service accounts.  I’ve
seen organisations use a specific naming convention to identify service
accounts before, but never adding a new attribute.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, 16 May 2006 8:38 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question



 

I
ended up using 

oldcmp -report
-age 120 -users -f
"(&(objectcategory=person)(objectclass=user)(!(ourAttribute=TRUE)))"

And it seemed to
work.

 

Thanks

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OldCmp question

-af
"(!(ourProperty=TRUE))"

 

It
would be more efficient and faster for the query to actually set all of the
non-service accounts to FALSE so then you can do

 



-af
"(ourProperty=FALSE)"





 





 





NOT
filters aren't the greatest for efficiency plus you can get false positives because
an account that you can't see the ourProperty value on due to security will be
reported even if it has ourProperty set to TRUE.





 





 



  
joe

 

--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, May 15, 2006 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OldCmp question



I've
created a new boolean schema property to flag all of our service accounts in
our AD domain.





 





I've gone
through and set the boolean to "TRUE" to all the service accounts.





 





Now I want
to use oldcmp to go through and find all the ones that aren't "TRUE"
and meet other criteria.  I've determined I can do an -af ourProperty=TRUE
and show the accounts that are service accounts, but I want any that are NOT
service accounts.  I tried -af ourProperty=" " and ""
and -af ourProperty="" and nothing seems to
work.  Any ideas?





 




 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of Cameron and its operating Divisions and may be confidential
  or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 



 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of Cameron and its operating Divisions and may be confidential
  or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 


 




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] OT: Microsoft Audit Collection System

[Tony Murray]

Thanks David (and Brian)

Seems to have been a long time coming :-)

I'll have to see if I can get on to the Beta.

Tony
-- Original Message --
From: "David Adner" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Sun, 30 Apr 2006 21:08:56 -0500

It's part of the next MOM release... forget everything you used to know
about it. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Sunday, April 30, 2006 8:48 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] OT: Microsoft Audit Collection System
> 
> Hi all 
> 
> Does anyone know the story of what happened to the Microsoft 
> Audit Collection System (MACS)?  It doesn't appear to have 
> made it as a free download (as was suggested in some TechEd 
> presentations a few years back).  Some references indicate 
> that it has been rolled into MOM 2005, but I haven't found 
> any detailed information to support this.
> 
> Tony
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Microsoft Audit Collection System

[Tony Murray]

Hi all 

Does anyone know the story of what happened to the Microsoft Audit
Collection System (MACS)?  It doesn't appear to have made it as a
free download (as was suggested in some TechEd presentations a few
years back).  Some references indicate that it has been rolled into
MOM 2005, but I haven't found any detailed information to support
this.

Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to verify which DC authenticated a user account?

[Tony Murray]

You work for an imaginary company? :-)

You can check the secure channel using nltest, as follows:

Nltest /sc_query: /server:

e.g
 
Nltest /sc_query:MYDOM   /server:MYSRV

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, 14 April 2006 11:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to verify which DC authenticated a user account?

Greetings, 

We seem to bo getting intermittent authentication errors on several servers
that are pulling reports from our SQL & Oracle database clusters and the
site that I am located in at an imaginary company.  I remember using a
command in NT 3.51 that told you the PDC or BDC that processed your logon or
authenticated you, but forgot it, I tried srvinfo and it only shows you the
PDC emulator in the domain, is there a recommended tool for active
directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST?

 Also when I run NETDIAG the following errors appear:

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for " Oracle server name ".

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC ' **"

[WARNING] Failed to query SPN registration on DC ' ' **"

[WARNING] Failed to query SPN registration on DC ' ' **"

[WARNING] Failed to query SPN registration on DC ' ' **"

[WARNING] Failed to query SPN registration on DC ' ' **"

Trust relationship test. . . . . . : Failed
Secure channel for domain ' USA' is to '\\usa.server.com'.
[FATAL] Cannot test secure channel for domain 'USA" to DC '
server06'. [ERRO
R_NO_LOGON_SERVERS]


--

Sincerely,

Jose Medeiros
MCP+I, MCSE, NT4 MCT
408-765-0437 Direct
408-449-6621 Cell

 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] how to display DC services on a single line?

[Tony Murray]

Nltest perhaps?

C:\Documents and Settings\Administrator.SRDC2>nltest /dsgetdc:north
   DC: \\DCN1
  Address: \\192.168.5.2
 Dom Guid: 3efc188a-c7bb-4c72-9129-262d4a4b8fba
 Dom Name: NORTH
  Forest Name: north.com
 Dc Site Name: NORTH
Our Site Name: NORTH
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST
CLOSE_S
ITE
The command completed successfully 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, 14 April 2006 7:28 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] how to display DC services on a single line?

 There is a command that shows on a single line what
services are running on a DC.  The output is something like
DS::GC::Time::LDAP::  Can someone help this poor, tired brain
out?  Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Extending the schema

[Tony Murray]

You could look at it the other way and ask what the benefit would be of
performing the schema extensions now as opposed to later. The full GC
sync that used to cause a replication storm (in certain AD environments)
does not occur with 2003 DCs. 

Given that, historically, Microsoft is not exempt from mangling
attributes through schema extensions I would probably wait until you
have to before applying the updates.  The usual advice about thorough
lab testing applies...

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, 12 April 2006 10:59 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Extending the schema

We're a native win2k domain and are a few DC upgrades away from going to
2003 native mode. 
 
We're evaluating Live Communications Server, Sharepoint, Biztalk, etc,
etc.  
 
Is there any negatives involved in extending the schema if there's a
possibility we may scrap these projects all together or is it not such a
bad thing like it once was thought to be?  
 
Thanks

This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIFP GAL Sync

[Tony Murray]

Thanks Ion (and Gil)

 

Yes, the Enterprise
Edition requirement for the server running MIIS is an interesting one.  I think
this is based less on technical dependencies than on licence costs.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott
Sent: Wednesday, 12 April 2006 10:15 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIFP GAL Sync



 





I have used it
between a Windows 2000 Forest and a Windows 2003 Forest to Sync the GAL between
the two.





 





The only odd requirement I
recall was that the req's said it had to run on a Windows Server 2003
Enterprise Edition server and I ended up installing on a Windows 2003 Ent
Edition member server.





 















Ion V.
Gott
Principal Consultant





CISSP, MCSE +
Security/Messaging





Certified OCTAVE
Trainer





 





DynTek,
Inc.
19700 Fairchild Road, Suite 350
Irvine, CA 92612
 





Phone:
949.271.0911
Web:   www.dyntek.com





Microsoft
Gold Certified Partner
Citrix Platinum Solution Advisor
Cisco Gold Partner
McAfee Elite Partner





 













 







From:
[EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Tue 4/11/2006 2:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIFP GAL Sync





I'm pretty sure
it it works fine with W2K AD. MIIS itself needs to run on WS2K3 though.

 

-gil

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray
Sent: Tuesday, April 11, 2006 2:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IIFP GAL Sync

Hi all

 

I was discussing GAL sync using IIFP with
someone today and he said he thought there was a requirement for the DC that
IIFP uses to be 2003.  I can’t see this requirement in the product
documentation.  Can anyone confirm this?

 

Tony

 

 

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

[ActiveDir] IIFP GAL Sync

[Tony Murray]

Hi all

 

I was discussing GAL sync using IIFP with
someone today and he said he thought there was a requirement for the DC that
IIFP uses to be 2003.  I can’t see this requirement in the product
documentation.  Can anyone confirm this?

 

Tony

 

 




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

[ActiveDir] List problems - resolved

[Tony Murray]

You will have noticed that messages are now
coming through again.   The problem has been resolved and all should
be back to normal.  Any emails sent to the list during the outage will not
have been queued, so please send again.

 

Thanks to the 732 of you who alerted me to the
fact that the list was not operational J

 

Tony




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] Daylight savings query

[Tony Murray]

Sounds like a good registry setting to apply via GPO (as you indicate
further down in your original email).  One option would be go link the
policy at the site level, as long as these correspond to the correct
time zones you need.  

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, 4 April 2006 1:20 p.m.
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: Re: [ActiveDir] Daylight savings query

Without walking around to every stupid new desktop every year and
getting mad at Dell that they aren't picking up the right timezones 
I want to set at my desktop eating bon bons and scan them and see if
they've screwed up and the Secretaries will be booking appointments in
the wrong time zones and the bosses will be getting mad

(Bosses get the new computers.. Secretaries get the old ones that
already have the time zone problem resolved)

Basically I'm asking... what do you guys do in big server land to ensure
that every stupid Outlook is booking appointments in the proper zone?

Dean Wells wrote:

>It's late so that could well be it ... but I'm afraid I'm uncertain as 
>to what it is you've not already ascertained for yourself?
>
>--
>Dean Wells
>MSEtechnology
>* Email: [EMAIL PROTECTED]
>http://msetechnology.com
>
> 
>
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Monday, April 03, 2006 8:33 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: [ActiveDir] Daylight savings query
>>
>>(someone go pick Joe up off the floor after I post this.. I'm actually

>>asking about scripting)
>>
>>
>>Is there a script that can be run to determine what a computers time 
>>zone status is?  Some WMI status in AD or something?  It seems like 
>>everytime I get new computers in the office...the OEM image that we 
>>don't nuke and pake means that they do not grab the "autotmatically 
>>adjust" setting, even though it's checked, so they end up staying on 
>>standard time rather than flipping to daylight savings and thus 
>>causing appointments to be off an hour.
>>
>>Okay so the setting is under
>>
>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn
>>formation
>>But the values under there are not jumping out at me as to which one 
>>the machine is broadcasting?
>>
>>Is it "Daylight Bias" RegDword ffc4"  ...as if I flip the gui on 
>>and off.. that value goes down to 0
>>
>>...wonder if I can group policy that reg key valuehmm
>>
>>
>>How to configure daylight saving time dates for Brazil:
>>http://support.microsoft.com/?kbid=317211
>>
>>"Use a script to delete "DisableAutoDaylightTimeSet" from the 
>>registry.
>>When deleted 'Automatically adjust clock for daylight savings changes'
>>in Windows will be checked.
>>
>>The registry key is:
>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn
>>formation "
>>
>>
>>
>>--
>>Letting your vendors set your risk analysis these days?  
>>http://www.threatcode.com
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive: 
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>
>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>  
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Microsoft Announces New Price, and Availability of Linux Support, for Virtual Server 2005 R2:

[Tony Murray]

I think that was always on the cards after VMWare made their entry-level
server product free.

http://www.vmware.com/products/server/

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, 4 April 2006 5:53 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Microsoft Announces New Price, and Availability
of Linux Support, for Virtual Server 2005 R2:

Microsoft Virtual Server 2005 Market Bulletin: Microsoft Announces New
Price, and Availability of Linux Support, for Virtual Server 2005 R2:
http://www.microsoft.com/windowsserversystem/virtualserver/evaluation/ne
ws/bulletins/vs05pricing.mspx


(uh..like free)


http://www.microsoft.com/downloads/details.aspx?familyid=6dba2278-b022-4
f56-af96-7b95975db13b&displaylang=en 


Download the Enterprise Edition of Microsoft Virtual Server 2005 R2. 
Virtual Server R2 is a cost-effective and well supported server 
virtualization technology for the Windows Server System(tm) platform. As
a 
key part of any server consolidation strategy, Virtual Server increases 
hardware utilization and enables organizations to rapidly configure and 
deploy new servers.

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADAM - logging inefficient and expensive searches

[Tony Murray]

Mmm, I’ve just
tested on a DC and the “0” setting for Expensive Search Results Threshold doesn’t work, whereas the “1” setting
does.  I was going by the tip in Robbie’s AD Cookbook, but I guess
it doesn’t work on a 2003 DC.  Perhaps the behaviour has changed
since 2000.  I would ask for a refund on the Cookbook, but seeing that a)
I didn’t pay for my copy and b) I was one of the tech reviewers, I would
not be coming from a position of strength J

 

Thanks Joe.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, 3 April 2006 4:31 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM - logging inefficient and expensive
searches



 

Hi Joe

 

I wanted to log all
LDAP searches and therefore set the Expensive Search Results Threshold to
0.  This works on DCs, so I assumed it would on ADAM.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, 3 April 2006 4:22 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM - logging inefficient and expensive
searches



 

Tony what exactly
are you trying to accomplish and what exactly are you setting?

 

If, for instance,
you want to enable logging of all queries then you want to set the
Diagnostics\15 Field Engineering to 5 and then set parameters\Expensive Search
Results Threshold to 1 and parameters\Inefficient Search Results Threshold to
1.

 

If you don't set
the field engineering to 5 or if you set the threshholds to say 0 you won't get
anything.

 

I have enabled
this logging on ADAM SP1/R2 and it has worked fine. I never tried it on
the original version but would be surprised if it didn't work for that as well.


 

   joe

 

 

--

O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray
Sent: Sunday, April 02, 2006 11:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM - logging inefficient and expensive searches

Hi all

 

Has anyone had any success with logging
inefficient and/or expensive searches in ADAM?

 

I’ve tried following the suggestions
shown in the link below, but substituting “NTDS” with the name of
the ADAM instance in the registry settings (e.g. ADAM_Instance1).

 

http://msdn.microsoft.com/library/default.asp?url="">

 

It didn’t work.  L

 

Any thoughts?

 

Tony

 

 

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.